Closed Bug 127697 Opened 23 years ago Closed 18 years ago

nsDocShell::mValidateOrigin is never set

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: adamlock, Assigned: security-bugs)

References

(Blocks 1 open bug)

Details

I noticed a potentially serious problem while fixing up some scheme comparison
code in SameOrSubdomainOfTarget() in nsDocShell.cpp for bug 126432.

I have noticed that this code only gets called if mValidateOrigin is PR_TRUE but
it isn't. In fact mValidateOrigin never gets initialised at all!

Potentially, mValidateOrigin should be set in the nsDocShell constuctor by
reading the pref "browser.frame.validate_origin" but this pref does not exist so
presumably mValidateOrigin contains garbage.

So there is a security issue here. What should be done? My guess is that 
"browser.frame.validate_origin" should exist in all.js and mValidateOrigin
should default to PR_TRUE. Also if this code path has not been triggered for a
while it should be re-verified to ensure it is working properly.
Blocks: 126432
Patch in bug 126432 sets mValidateOrigin to PR_TRUE during construction

This was fixed by the changes in bug 246923.
Status: NEW → RESOLVED
Closed: 18 years ago
Depends on: 246923
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.