Join the AMA (Ask Me Anything) with the Firefox leadership team to celebrate Firefox 20th anniversary and discuss Firefox’s future on Mozilla Connect. Mark your calendar on Thursday, November 14, 18:00 - 20:00 UTC!

为提升您的使用体验,本站正在维护,部分功能暂时无法使用。如果本站文章无法解决您的问题,您想要向社区提问的话,请到 Twitter 上的 @FirefoxSupport 或 Reddit 上的 /r/firefox 提问,我们的支持社区将会很快回复您的疑问。

Avatar for Username

搜索 | 用户支持

防范以用户支持为名的诈骗。我们绝对不会要求您拨打电话或发送短信,及提供任何个人信息。请使用“举报滥用”选项报告涉及违规的行为。

详细了解

话题已存档。 如果需要帮助请提出新问题。

Probable security leak in v.10. called "Aurora".

  • 2 个回答
  • 1 人有此问题
  • 3 次查看
  • 最后回复者为 genuslupae

genuslupae
genuslupae
more options

See screenshot Then one logged in to Google sites account, and then opens http://genuslupae.co.nr/ which is third-party framed re-director to my own Google site, Aurora mixes http top frame with https child frame with private Google logged user data, at least e-mail address. security.warn_viewing_mixed is set to true. MSIE 8 do not warns me also, but it shows HTTP, not HTTPS, as properly asked by my top frame:

<frameset rows="100%,*" frameborder="NO" border="0" framespacing="0"> <frame name="conr_main_frame" src="http://sites.google.com/site/repertiziani/"> </frameset>

[http://plus.google.com/u/0/photos/116651664550077808951/albums/5684898762064588369/5684898760770226818 See screenshot] Then one logged in to Google sites account, and then opens http://genuslupae.co.nr/ which is third-party framed re-director to my own Google site, Aurora mixes http top frame with https child frame with private Google logged user data, at least e-mail address. security.warn_viewing_mixed is set to true. MSIE 8 do not warns me also, but it shows HTTP, not HTTPS, as properly asked by my top frame: &lt;frameset rows="100%,*" frameborder="NO" border="0" framespacing="0"&gt; &lt;frame name="conr_main_frame" src="http://sites.google.com/site/repertiziani/"&gt; &lt;/frameset&gt;

由genuslupae于修改

被采纳的解决方案

NO WAY!

While one (top frame owner) tries to access they "own" frames collection via javaScript located in the header section or in the event call string, it will be stopped just after window.frames[0]!

[20:29:53.186] Error: Permission denied to access property 'document'

love Aurora

定位到答案原位置 👍 0

所有回复 (2)

genuslupae
genuslupae 提问者
more options

O.K., You had The Chance, guys.

genuslupae
genuslupae 提问者
more options

选择的解决方案

NO WAY!

While one (top frame owner) tries to access they "own" frames collection via javaScript located in the header section or in the event call string, it will be stopped just after window.frames[0]!

[20:29:53.186] Error: Permission denied to access property 'document'

love Aurora