Closed Bug 1300778 Opened 8 years ago Closed 8 years ago

RemotePageManager.jsm should not use window.document.documentURI to identify websites

Tracking

()

Status:

RESOLVED INVALID

People

(Reporter: freddy, Unassigned)

References

Details

Frederik Braun [:freddy]

Reporter

Description

•

8 years ago

Snippets of affected code: > this.messageManager.sendAsyncMessage("RemotePage:InitPort", { > portID: portID, > url: window.document.documentURI.replace(/[\#|\?].*$/, ""), > }); and > let url = window.document.documentURI.replace(/[\#|\?].*$/, ""); > if (!registeredURLs.has(url)) Christoph (in CC) said documentURI can be clobbered, so we should prefer |window.location.origin|

Frederik Braun [:freddy]

Reporter

Updated

•

8 years ago

Blocks: 1040184

Frederik Braun [:freddy]

Reporter

Comment 1

•

8 years ago

documentURI is readonly.

Status: NEW → RESOLVED

Closed: 8 years ago

Resolution: --- → INVALID

Benjamin Smedberg

Comment 2

•

8 years ago

Can this be made public then?

Flags: needinfo?(fbraun)

Frederik Braun [:freddy]

Reporter

Comment 3

•

8 years ago

Yes. The bug is invalid.

Flags: needinfo?(fbraun)

Benjamin Smedberg

Updated

•

8 years ago

Group: core-security

You need to log in before you can comment on or make changes to this bug.

Bugzilla

RemotePageManager.jsm should not use window.document.documentURI to identify websites

Categories

(Core :: DOM: Content Processes, defect)

Tracking

()

People

(Reporter: freddy, Unassigned)

References

Details

Crash Data

Security

(public)

User Story

Description

Updated

Comment 1

Comment 2

Comment 3

Updated