Jack Z

Jack,

> for OnKeyPress and
> OnClick events, you can actually use javascript to populate input
> boxes and click on buttons using these events (in FF)

This sounds quite scary and broken, but simple testing did not show this
behaviour. I have attached a simple demo that shows that keypress does not
populate the input. If you have any tests that show otherwise, I would be
extremely interested in seeing them.

The reasons that this could be a security issue are quite simple. Imagine
these scenarios:

1.

A page containing 1 input. JavaScript focuses the input. JavaScript
simulates the keypress event for the 'Tab' key. The address bar would now be
focused in Firefox if this were a real keypress. JavaScript fires the events
for the following keys, targeting the window object:
h, t, t, p, :, /, /, w, w, w, ., y, o, u, r, b, a, n, k, ., c, o, m, /
If that actually appeared in the address bar, then you would have a security
issue allowing you to spoof the page address

2.

A page containing an iframe, which loads your bank's website. JavaScript
fires a click event at the coordinates that place it over an input in the
iframe (say, a form field for 'transfer money to this account'). JavaScript
then fires key events in various sequences, targeting the iframe's window
object, that cause desired writing to appear in the form field. This causes
money to be transferred to an attacker's account.

I hope you can see the problems from those. Neither should be possible, and
to my knowledge, neither of those are possible, due to manually firing
events not actually creating the associated default action.

But please, if you have found something I have not found, send it to me for
analysis, because it is possible there is a serious bug here.


Mark 'Tarquin' Wilton-Jones - author of http://www.howtocreate.co.uk/

Jack,

> I don't have time to comment on your scenarios (I am late for work :)
> but I quickly modified your demo to make it work on my FF3 on Vista.

Thanks for that. Yes, it seems you have stumbled on a bug in Firefox. This
creation of characters and clicks certainly should not happen. I have been
through the scenarios and another one (typing in a file input could allow
upload of files) but it seems that since the bug only affects a few things,
none of the scenarios have any effect (meaning I did not find any security
issues in the process).

Note that it only affects form inputs (probably as an artefact of how they
are internally created from markup and scripts), so firing the click event
on a link does not open the link. It also seems limited only to printable
characters, so you cannot use UI shortcuts like TAB. It also cannot type in
file inputs.

It is still a bug, so since you found it, please report it to them using
their bug tracking system. I have a testcase here which you can point them
to:
http://www.howtocreate.co.uk/mozBugs/keyeventaction.html


Tarquin

Jack,

> Unfortunately, this is not a bug but a feature.

Oh dear. So once again, Mozilla are deliberately breaking the spec and
being incompatible with all other browsers. Intentional or not, that is
not useful for anybody. The mistaken bug should be set to invalid, and
the issue fixed properly. Oh well, they have a habit of breaking spec
like this for no good reason except to maintain old mistakes and treat
them as features. This would not be acceptable if it were any other
browser, and it really should be no different for Mozilla either.

I am not going to push this further, though you really should, since it is
definitely a bug. I just hate that Mozilla are allowed to get away with
creating pointless incompatibilities, that invariably cause problems for
other browsers.