Closed
Bug 733035
Opened 13 years ago
Closed 13 years ago
need a way to postMessage from sandboxes (without source window object)
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
FIXED
mozilla14
People
(Reporter: gkrizsanits, Assigned: gkrizsanits)
References
Details
(Keywords: dev-doc-needed)
Attachments
(1 file, 2 obsolete files)
(deleted),
patch
|
gkrizsanits
:
review+
|
Details | Diff | Splinter Review |
From a sandbox currently postMessage to a window object does not work (silent failure). The reason is that the function expects that the global is a window that can be used as a source window. For sandboxes that is not the case, but probably the principal of the sandbox can be used for the security checks.
Assignee | ||
Updated•13 years ago
|
Assignee: nobody → gkrizsanits
Assignee | ||
Comment 1•13 years ago
|
||
So I'm not sure that this is safe enough, and I don't know who is the best person to ask for a review on this. What do you think khuey? So there are two cases, either the sandbox have system principal, then I'm not really affraid of security implications. And when it has a URI based principal, then there is a check before cloning the data, but I'm not sure if it's enough. I would also love to validate somehow if the global or it's principal belongs to a sandbox, and the callerInnerWin isn't null for some other reasons.
Attachment #604030 -
Flags: review?(khuey)
Comment on attachment 604030 [details] [diff] [review] first draft with test Review of attachment 604030 [details] [diff] [review]: ----------------------------------------------------------------- ::: dom/base/nsGlobalWindow.cpp @@ +6347,5 @@ > // if the principal has a URI, use that to generate the origin > nsContentUtils::GetUTFOrigin(callerPrin, origin); > } > else { > + if (callerInnerWin) { just use else if (callerInnerWin) { ... } else { } No need for another level of indenting. @@ +6349,5 @@ > } > else { > + if (callerInnerWin) { > + // otherwise use the URI of the document to generate origin > + nsCOMPtr<nsIDocument> doc = do_QueryInterface(callerInnerWin->mDocument); callerInnerWin->GetExtantDocument()
Attachment #604030 -
Flags: review?(khuey) → review+
Assignee | ||
Comment 3•13 years ago
|
||
https://tbpl.mozilla.org/?tree=Try&rev=7b684de69a0d
Attachment #604030 -
Attachment is obsolete: true
Attachment #612215 -
Flags: review+
Assignee | ||
Comment 4•13 years ago
|
||
The previous version of the patch did not contain the Mercurial Queue headers, this one does.
Attachment #612215 -
Attachment is obsolete: true
Attachment #612218 -
Flags: review+
Assignee | ||
Updated•13 years ago
|
Keywords: checkin-needed
Comment 6•13 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/8f03b8e2cc5a
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Updated•13 years ago
|
Updated•12 years ago
|
Component: DOM: Mozilla Extensions → DOM
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•