> A minor security vulnerability exists in the way that Firefox handles
> cross-domain image dragging. Dragging an image into the address bar will
> cause Firefox to navigate to the image url even if it is a javascript
> url and the page to be navigated from is in a different domain than the
> page on which the image is shown. This may potentially allow attackers
> to steal cookies, etc.
Just one question: what could possibly compel someone to drag a
broken image into their browser's location bar? I'm not trying to be a
wiseguy. I'm honestly puzzled as to why anyone would take an obviously
broken image and drag it into the browser location bar.
Side note: the behavior you describe is the same if one
right-clicks Javascript "image" and selects "View Image" from the pop-up
dialog.
> User Reccomendations:
> Do not drag images into the address bar.
...or hyperlinks. Those too can be obfuscated via Javascript, and
they can also be dragged into the location bar.
- -Jay
( ( _______
)) )) .-"There's always time for a good cup of coffee"-. >====<--.
C|~~|C|~~| (>----- Jay D. Dyson -- jdyson (at) treachery (dot) net [email concealed] -----<) | = |-'
`--' `--' `-I just started World War III. You're welcome.-' `------'
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (TreacherOS)
Comment: See http://www.treachery.net/~jdyson/ for current keys.
Hash: SHA1
On Fri, 26 Feb 2005, Paul wrote:
> A minor security vulnerability exists in the way that Firefox handles
> cross-domain image dragging. Dragging an image into the address bar will
> cause Firefox to navigate to the image url even if it is a javascript
> url and the page to be navigated from is in a different domain than the
> page on which the image is shown. This may potentially allow attackers
> to steal cookies, etc.
Just one question: what could possibly compel someone to drag a
broken image into their browser's location bar? I'm not trying to be a
wiseguy. I'm honestly puzzled as to why anyone would take an obviously
broken image and drag it into the browser location bar.
Side note: the behavior you describe is the same if one
right-clicks Javascript "image" and selects "View Image" from the pop-up
dialog.
> User Reccomendations:
> Do not drag images into the address bar.
...or hyperlinks. Those too can be obfuscated via Javascript, and
they can also be dragged into the location bar.
- -Jay
( ( _______
)) )) .-"There's always time for a good cup of coffee"-. >====<--.
C|~~|C|~~| (>----- Jay D. Dyson -- jdyson (at) treachery (dot) net [email concealed] -----<) | = |-'
`--' `--' `-I just started World War III. You're welcome.-' `------'
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (TreacherOS)
Comment: See http://www.treachery.net/~jdyson/ for current keys.
iD8DBQFCILecBYoRACwSF0cRApf9AKCvKMjf9qrVp/JYHeoL0W4an/a0UgCfXD/q
UVjg8Q/gb6If85CD7SRgEqU=
=Tsr9
-----END PGP SIGNATURE-----
[ reply ]