Closed
Bug 28443
Opened 25 years ago
Closed 25 years ago
DOM Properties should default to sameOrigin
Categories
(Core :: Security, defect, P3)
Tracking
()
VERIFIED
FIXED
M17
People
(Reporter: norrisboyd, Assigned: security-bugs)
References
Details
(Whiteboard: [nsbeta2+])
Yes, I have examined the DOM properties. Some document properties that are now exposed for any host should be hidden, I do not see any reason to be accessible. I mean the following properties of the document object and propose changes to all.js: images - collection alinkColor linkColor vlinkColor bgColor fgColor layers width height styleSheets - collection (probably a small vulnerability). My personal opinion is that instead of disabling access to properties in all.js it would be better to disable access to all properties and methods and allow access only to "trusted" ones (of course I mean the Same Origin policy). I do not see any reason for scripts from other hosts to have access to document and window (probably only location) objects. The last version of IE is made this way (previous versions were not that strict).
Bulk moving all Browser Security bugs to new Security: General component. The previous Security component for Browser will be deleted.
Component: Security → Security: General
Reporter | ||
Updated•25 years ago
|
Status: NEW → ASSIGNED
Target Milestone: M15
Assignee | ||
Comment 3•25 years ago
|
||
Bulk reassigning most of norris's bugs to mstoltz.
Assignee: norris → mstoltz
Status: ASSIGNED → NEW
Upating [nsbeta2] to read [nsbeta2+] in Status Whiteboard.
Whiteboard: [nsbeta2][5/16] → [nsbeta2+][5/16]
Assignee | ||
Comment 6•25 years ago
|
||
Will review...hopefully with some input from DOM folks.
Status: NEW → ASSIGNED
Assignee | ||
Comment 7•25 years ago
|
||
Nisheeth, What do you think about setting the properties listed in this bug to SameOrigin access only? Will this break anything? Should I make this change?
Comment 8•25 years ago
|
||
I don't see anything wrong with your proposed change. Johnny and Tom, what do you guys think? CCing Vidur to see if he has any comments.
Comment 9•25 years ago
|
||
I dont's see a problem with the proposal either, but one thing I noticed from reading the first comment in thins bug is that the Document (nor HTMLDocument), interface in mozilla doesn't have a "layers" property. I think there used to be one even in mozilla but it's not there any more. And also, now when the DOM in mozilla has been updated to DOM Level 2 there are even more properties in almost all DOM Core interfaces (Document included) whose protection should at least be investigated, should we include that here, or should we do that separately?
Assignee | ||
Comment 10•25 years ago
|
||
Sure, let's add discussionhere on additional DOM properties which may require protection. CCing Cathy Zhang, who is doing a systematic review of our DOM security defaults.
Comment 12•25 years ago
|
||
Putting on [nsbeta2-] radar. Removing [5/16]. Will take for RTM assuming low risk.
Assignee | ||
Comment 13•25 years ago
|
||
Yes, it's low risk, and would greatly improve our security. I am discussing Georgi's proposal with Vidur, to make all DOM properties and methods subject to the same-origin check by default, then enumerate the (probably small) list of properties which must be cross-site accessible in the default preferences. I changed the name of the bug to reflect this plan.
Summary: DOM Properties need additional protection → DOM Porperties should default to sameOrigin
Assignee | ||
Updated•25 years ago
|
Whiteboard: [nsbeta2-]
Assignee | ||
Comment 16•25 years ago
|
||
Clearing nsbeta2- and requesting re-evaluation for nsbeta2 approval. Vidur and I agree that this change will probably prevent numerous security holes in the future.
Comment 17•25 years ago
|
||
Strong endorsement of permitting checkin for nsbeta2 as it's supposed to be FC, and that includes security policy. Here's why: 1) it's good to strengthen our security where we can at low risk to minimize possible post-FCs respins 2) but we want to check in such changes earlier, not later, to catch any unexpected issues (even though we don't expect any, one of course never does ...) 3) this is judged high value and low risk 4) we're still prior to FC cutoff
Updated•25 years ago
|
Summary: DOM Porperties should default to sameOrigin → DOM Properties should default to sameOrigin
Assignee | ||
Comment 19•25 years ago
|
||
This change has been checked in. Marking FIXED.
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•