The diary and photos of Chris Beach. I'm into windsurfing, coding, badminton, drawing and composing music using computers and synths.

Let's start with a quote:
"I contend that we are both atheists. I just believe in one fewer god than you do. When you understand why you dismiss all the other possible gods, you will understand why I dismiss yours" Stephen Roberts

email: password:

a bug-fixing farce

Mozilla have spent almost five years trying to solve the XUL spoofing vulnerability that affects their browsers. This hole affects the much-hyped Firefox, due for release this month. I've been having an look through Bugzilla to see how they're progressing:

Bug 22183, first raised in 1999:

There is a security vulnerability which allows window spoofing by using
downloadable XUL.

Bug 252198 (duplicate):


Reproducible: Always

Steps to Reproduce:
1. Go to any site with some deceptive XUL files
2. Enter credit card number
3. p0wnd!

Actual Results:
The default installation of Firefox will display a spoofed login page so real that even seasoned Firefox users will have trouble seeing the evil.
2004-07-19: Confirmed, scary...Pascal Chevrel

2004-07-19: IMO it's at least criticalOleg Sidletskiy

And let's see how 22183 is doing:

2002-11-26: I get the impression from comments in this bug that 'any code is better than no code, so we should check this in" (my paraphrase). That's clearly wrong; just as a matter of historical fact, Mozilla has had "too much code" in too many areas where it would have been better to do less, well. We're still digging out from under the combined weight in human and footprint/performance terms of such code.Brendan (Mozilla Org)
2002-12-03: Do you really think that adding some lame-ass text to the window title bar is going to make even the slightest bit of difference, other than making us look like freaky geek morons?

Please, leave the uber-paranoia to Beonex, and let's get on with the REAL problems with our browser.Ian Hixie

I shudder to think what the "REAL" problems might be...

2002-12-03: We already say [Javascript Application] on alerts, we already allow the user to disable the disabling of the status bar, and so forth. Without making ourselves the laughing stock of the Web browser implementer community, there is little more we can do.Ian Hixie
2003-02-22: I fail to see how we can _ever_ fix this problem.Ian Hixie
2004-08-03: We can't fix these issues piecemeal, with different people fixing UI elements in different bugs. Someone needs to make a coherent decision and I believe that someone is Ben, at least for Firefox.Robert O'Callahan
2004-08-05: I am weary of allowing websites to display XUL at all, except maybe in a jailed environment as it seems a likely avenue for a security exploitKris Maglione

.. but hold on, isn't your browser UI built entirely from XUL? Would seem a shame to trash your own enabling technology.

The wonders of collaborative open-source development, eh? At least I've seen some recent references to Microsoft's innovative SP2 features, so hopefully they have a good role-model and a target to finally aim for..

written by Chris Beach
07/09/04 2:03am
(13 years, 7 months ago)
comment 3 comments

photoadd photo

 15 links more journal entries from tech journal