Resent as I realised I'm not subscribed here Michal Zalewski wrote: > I can't really comment on whether > this fixes the problem once and for all, because I haven't really examined > the changes implemented for 364692, but yeah, my example no longer crashes > the browser for me.
I think there are still underlying problems in the code as the following illustrates: 1. Put this in a web page, then view it in firefox. <html> <body onunload="location = self.location"> <a href="http://slashdot.org/">http://slashdot.org/</a> </body> </html> 2. Click on the link which should take you to slashdot and you'll end up back where you were (this has been known about for ages). 3. Now do 'View Source' and you get shown the sourcecode to slashdot rather than the source code for the page you're viewing. Actual Results: View source displays the contents of the wrong site Expected Results: I'd expect to see the source code for the page I'm viewing. A web page could trigger the link itself using DOM events (or naviagate away using javascript form submission) and use this technique to hide the source code of a malicious page from the user. I did a quick check that document.cookie wasn't chcking the wrong URL, but I have not checked extensively which other parts of the browser can be spoofed in this fashion. I reported this via bugzilla, but it was closed as a duplicate of bug 253497 which was reported in 2004. Cheers Rich. -- Richard Moore, Principal Software Engineer, Westpoint Ltd, Albion Wharf, 19 Albion Street, Manchester, M1 5LN, England Tel: +44 161 237 1028 Fax: +44 161 237 1031 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/