Closed
Bug 350433
Opened 18 years ago
Closed 17 years ago
Same-origin checks that should fail, don't
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
FIXED
mozilla1.9alpha8
People
(Reporter: bzbarsky, Assigned: jst)
References
(Blocks 1 open bug)
Details
(Whiteboard: [sg:high] fixed by XOW)
We seem to have some inconsistent security checks. See details in bug 344890 comment 8.
This bug is _solely_ about this inconsistency. Please do not admix any of the other discussion from bug 344890 here.
I suspect the problem is that needsSecurityCheck is returning a cached false when it shouldn't (because while the cx is the same the principal on the stack is not). I haven't had a chance to verify this, however. While this is not going to cause problems for XPConnect stuff, for non-XPConnect JS variables on pages this could be bad.
Reporter | ||
Updated•18 years ago
|
Flags: blocking1.9?
Flags: blocking1.8.1?
Flags: blocking1.8.0.8?
Updated•18 years ago
|
Flags: blocking1.8.1? → blocking1.8.1+
Reporter | ||
Comment 1•18 years ago
|
||
So if I make needsSecurityCheck always return PR_TRUE, this bug goes away.
The basic first problem is that needsSecurityCheck assumes that code running on a given cx always has the same principal. That's a pretty bogus assumption, and is what's biting us here -- it lets code with the null principal get at and call |foo|.
Imo we should make the cache be per-JSStackFrame or something...
Comment 2•18 years ago
|
||
So bz - is this/should this be something we try and get in 1.8.1?
Reporter | ||
Comment 3•18 years ago
|
||
I think so, yes. Though changes for bug 351370 might make things better here... maybe. Not sure.
Depends on: 351370
Comment 4•18 years ago
|
||
pushing to 1.8.1.1...
Flags: blocking1.8.1.1?
Flags: blocking1.8.1-
Flags: blocking1.8.1+
Comment 6•18 years ago
|
||
Not clear we know what the fix is going to be here, not blocking the current release (though we'll consider taking a patch) but putting on a later radar.
Flags: blocking1.8.1.2?
Flags: blocking1.8.1.1?
Flags: blocking1.8.1.1-
Flags: blocking1.8.0.9?
Flags: blocking1.8.0.9-
Flags: blocking1.8.0.10?
Whiteboard: [sg:high]
Updated•18 years ago
|
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
Flags: blocking1.8.1.2?
Flags: blocking1.8.0.10?
Updated•18 years ago
|
Flags: blocking1.8.1.2?
Flags: blocking1.8.0.10?
Updated•18 years ago
|
Flags: blocking1.8.1.2?
Flags: blocking1.8.1.2+
Flags: blocking1.8.0.10?
Flags: blocking1.8.0.10+
Updated•18 years ago
|
Flags: blocking1.8.1.2+
Flags: blocking1.8.0.10?
Flags: blocking1.8.0.10+
Updated•18 years ago
|
Flags: blocking1.8.0.10?
Flags: blocking1.9? → blocking1.9+
Comment 8•18 years ago
|
||
Setting to B1 per conversation with JST.
Target Milestone: --- → mozilla1.9beta1
Assignee | ||
Comment 9•17 years ago
|
||
The offending code here is no longer in the tree thanks to mrbkap's cross origin wrapper changes. Marking bug FIXED.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Updated•17 years ago
|
Whiteboard: [sg:high] → [sg:high] fixed by XOW
Updated•12 years ago
|
Group: core-security
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•