Closed
Bug 1225053
Opened 9 years ago
Closed 9 years ago
gfxSVGGlyphs.cpp should use correct origin attributes to create principal
Categories
(Core :: Graphics, defect)
Core
Graphics
Tracking
()
RESOLVED
FIXED
mozilla47
People
(Reporter: allstars.chh, Assigned: allstars.chh)
References
Details
(Whiteboard: gfx-noted[OA])
Attachments
(1 file)
|
(deleted),
patch
|
eflores
:
review+
eflores
:
feedback+
|
Details | Diff | Splinter Review |
see jonas' comment from https://bugzilla.mozilla.org/show_bug.cgi?id=1209162#c27
|
||
Updated•9 years ago
|
Whiteboard: gfx-noted
|
Assignee | |
Updated•9 years ago
|
Blocks: nsec-origins
|
||
Updated•9 years ago
|
Blocks: createCodebasePrincipal
|
|
Assignee | |
Updated•9 years ago
|
Assignee: nobody → allstars.chh
|
|
Assignee | |
Updated•9 years ago
|
Summary: gfxSVGGlyphs.cpp should use correct principal → gfxSVGGlyphs.cpp should use correct origin attributes to create principal
|
|
Assignee | |
Comment 1•9 years ago
|
||
PrincipalOriginAttributes will be initialized with default value, appId=0 and inBrowser=false.
And gfxSVGGlyphsDocument seems not related to any origin attributes-specific things,
so the code in https://dxr.mozilla.org/mozilla-central/source/gfx/thebes/gfxSVGGlyphs.cpp#351 should be no harm,
Jonas, do you agree?
Thanks
Flags: needinfo?(jonas)
If the gfxSVGGlyphsDocument makes any network requests (to download subresources) we'll need it to have the right origin attributes so that it uses the right cookies when making those network requests.
Similarly if the document does any sort of permission checks, we'll want to make sure that those checks use the right permissions.
In general, I would be very worried that if we have an incorrect principal here we'll end up in trouble either now or in the future. It just feels very unsafe to do.
If we truly don't think that this document will ever need to make network requests or check permissions, then we should use a nullprincipal instead.
Flags: needinfo?(jonas)
|
|
Assignee | |
Comment 3•9 years ago
|
||
Hi, Edwin
You changed to use a non-null principal back in bug 801467, and now I tried to move the null principal back and the tests looks okay, can you help to check if we can use null principal now?
Thanks
Attachment #8721231 -
Flags: feedback?(edwin)
Comment on attachment 8721231 [details] [diff] [review]
Patch
Review of attachment 8721231 [details] [diff] [review]:
-----------------------------------------------------------------
(In reply to Yoshi Huang[:allstars.chh] from comment #3)
> You changed to use a non-null principal back in bug 801467, and now I tried
> to move the null principal back and the tests looks okay, can you help to
> check if we can use null principal now?
Hm, no idea why I did that. This makes sense AFAICT from the spec, which states that rendering be done with "no script execution, external references, interactivity, or link traversal."
Attachment #8721231 -
Flags: feedback?(edwin) → feedback+
|
|
Assignee | |
Comment 5•9 years ago
|
||
|
|
Assignee | |
Comment 6•9 years ago
|
||
Comment on attachment 8721231 [details] [diff] [review]
Patch
Review of attachment 8721231 [details] [diff] [review]:
-----------------------------------------------------------------
Hi Edwin
Ask for r? for the same patch, as it looks changing to use null principal should be enough.
I'd change patch subject later.
Thanks
Attachment #8721231 -
Flags: review?(edwin)
Attachment #8721231 -
Flags: review?(edwin) → review+
|
|
Assignee | |
Comment 7•9 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/e46b452357990be9b9838e13086e277bedda077b
Bug 1225053 - use null principal in gfxSVGGlyphs.cpp r=edwin
|
||
Comment 8•9 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox47:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla47
|
|
||
Updated•9 years ago
|
Whiteboard: gfx-noted → gfx-noted[OA]
You need to log in
before you can comment on or make changes to this bug.
Description
•