Jump to content

WYCIWYG: Difference between revisions

From Wikipedia, the free encyclopedia
Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
→‎Usage: URI scheme names do not include colons. <tt> → <code>. Expand acronym.
CosineP (talk | contribs)
73 edits
m →‎Security issues: "Citation needed" flag placed where previous citation covers content. Moved citation and removed flag.
Line 10: Line 10:
==Security issues==
==Security issues==


In 2007 [[Michał Zalewski]] reported<ref>[http://web.archive.org/web/20070907160824/http://lcamtuf.coredump.cx/ffcache/ Firefox wyciwyg:// cache vulnerability demo – Michal Zalewski]</ref> that it was possible to bypass the same-origin checks and read from cached (wyciwyg) documents. It was possible at that time to access <tt>wyciwyg://</tt> documents without proper same domain policy checks. This could have enabled an attacker to steal sensitive data, {{citation span|text=perform [[cache poisoning]] and execute their own code or display own content with URL bar and [[SSL certificate]] data of the original page ([[URL spoofing]]).|date=July 2015}} This was fixed in [[Firefox]] 2.0.0.5 and [[SeaMonkey]] 1.1.3.<ref>[http://www.mozilla.org/security/announce/2007/mfsa2007-24.html Mozilla Foundation Security Advisory 2007-24: Unauthorized access to wyciwyg:// documents]</ref>
In 2007 [[Michał Zalewski]] reported that it was possible to bypass the same-origin checks and read from cached (wyciwyg) documents. It was possible at that time to access <tt>wyciwyg://</tt> documents without proper same domain policy checks. This could have enabled an attacker to steal sensitive data, perform [[cache poisoning]] and execute their own code or display own content with URL bar and [[SSL certificate]] data of the original page ([[URL spoofing]]).<ref>[http://web.archive.org/web/20070907160824/http://lcamtuf.coredump.cx/ffcache/ Firefox wyciwyg:// cache vulnerability demo – Michal Zalewski]</ref> This was fixed in [[Firefox]] 2.0.0.5 and [[SeaMonkey]] 1.1.3.<ref>[http://www.mozilla.org/security/announce/2007/mfsa2007-24.html Mozilla Foundation Security Advisory 2007-24: Unauthorized access to wyciwyg:// documents]</ref>


==References==
==References==

Revision as of 01:16, 10 April 2016

WYCIWYG is an acronym that stands for What You Cache Is What You Get, commonly displayed in the address bar of Gecko-based Web browsers like Mozilla Firefox as wyciwyg:// when the Web browser is retrieving cached information.

The term WYCIWYG is a play on the acronym WYSIWYG ("What You See Is What You Get").

Usage

Mozilla Firefox implements a registered, strictly internal wyciwyg uniform resource identifier (URI) scheme to sort and later reference locally cached pages that were generated or modified by a script on the client side (a common practice for Web 2.0 sites).

Security issues

In 2007 Michał Zalewski reported that it was possible to bypass the same-origin checks and read from cached (wyciwyg) documents. It was possible at that time to access wyciwyg:// documents without proper same domain policy checks. This could have enabled an attacker to steal sensitive data, perform cache poisoning and execute their own code or display own content with URL bar and SSL certificate data of the original page (URL spoofing).[1] This was fixed in Firefox 2.0.0.5 and SeaMonkey 1.1.3.[2]

References

  1. ^ Firefox wyciwyg:// cache vulnerability demo – Michal Zalewski
  2. ^ Mozilla Foundation Security Advisory 2007-24: Unauthorized access to wyciwyg:// documents
Retrieved from "https://en.wikipedia.org/w/index.php?title=WYCIWYG&oldid=714482990"