Kurt McKee

lessons learned in production


Hey there! This article was written in 2007.

It might not have aged well for any number of reasons, so keep that in mind when reading (or clicking outgoing links!).

Firefox! Stop locking things down!

Posted 9 January 2007 in firefox, northwestern-university, security, software, webmail, and xss

A while back, Aaron noted that my Webmail Enhancer script wasn't working anymore. Tonight I finally looked into the situation, and the results have not been pleasing.

I got it working again, but there are some pretty serious Firefox changes that appear to have crippled the Northwestern Directory / Webmail integration.

In the past, I was able to defeat Cross-Site Scripting security by doing filthy redirects. For the uninitiated, the idea is that if my website, kurtmckee.org, opens a new window to yourbank.com, the kurtmckee.org window should not be able to access anything in the yourbank.com window. If my website opens a new window to my own website, there's really no problem sharing information from kurtmckee.org to kurtmckee.org. Therefore, I had Webmail open a new window to the Directory. When the Directory found the person you were looking for, it would store some information and redirect back to Webmail, thus allowing the two windows to exchange the necessary information.

Apparently there are new protections in Firefox: as soon as the redirection occurs, all communication between the two windows is permanently severed. Oh noes! You can read more about what I believe the problem is over at Spyder's blog.

I'm going to keep looking into the situation as I have time; it's possible that Greasemonkey has a method for transferring the information, or maybe cookies will work, or perhaps something else entirely will occur to me.

☕ Like my work? I accept tips!