[Kazehakase-devel 2933] Re: CVE-2007-1084 bookmarklets cross-site info disclosure

Zurück zum Archiv-Index

Mamoru Tasaka mtasa****@ioa*****
2009年 11月 16日 (月) 00:48:38 JST


Yavor Doganov wrote, at 11/15/2009 10:49 PM +9:00:
> Mamoru Tasaka wrote:
>> - what is the reasonale for disabling to bookmark uri beginning with
>>   "data:"?
> 
> The rationale is explained at http://lcamtuf.coredump.cx/ffbook:

I already saw the URL, however still I fail to understand the
rationale.

> 
> Note that with my patch it is still possible to add a data: or
> javascript: bookmark if the user consciously edits manually the
> bookmark (there is probably useful and non-dangerous application of
> this functionality, if the user really knows what he's doing).  

If it is possible to add the uri manually anyway, I don't see the necessity
of the patch.

> The
> "security" context of allowing this via Bookmarks -> Add to bookmarks
> menu is that a webpage can easily trick the user of semi-accidentally
> adding a bookmark with subsequent malicious effects as described in
> the third paragraph above.

... But when bookmarking the uri, the user is seeing the uri once anyway?

>> I have Fedora 12 i686 system and even with firefox 3.5.5
>>   I can bookmark such uri (i.e. uri beginning with data:)
> 
> All versions of Firefox are vulnerable, yes.  Mozilla people seem to
> agree, the relevant upstream bug is (I believe):
> 
> https://bugzilla.mozilla.org/show_bug.cgi?id=528772

Yes, so it means that firefox people are refusing the proposition?
(and the original bug is https://bugzilla.mozilla.org/show_bug.cgi?id=371179 )




Kazehakase-devel メーリングリストの案内
Zurück zum Archiv-Index