Closed
Bug 827847
Opened 12 years ago
Closed 12 years ago
XHR security checks are done in the child process instead of the parent process
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
DUPLICATE
of bug 827853
blocking-basecamp | - |
People
(Reporter: briansmith, Unassigned)
References
Details
From nsXMLHttpRequest::GetResponseHeader:
// See bug #380418. Hide "Set-Cookie" headers from non-chrome scripts.
if (!nsContentUtils::IsCallerChrome() &&
(header.LowerCaseEqualsASCII("set-cookie") ||
header.LowerCaseEqualsASCII("set-cookie2"))) {
NS_WARNING("blocked access to response header");
return;
}
This logic, and similar, needs to happen in the parent process. jduell suggested that we should put these checks in the parent side of the Necko e10s implementation.
Ideally, we should ensure that cookie values and HTTP auth credentials are never sent into the child process. (The implementation of document.cookie should grab the cookie from the parent process at the time document.cookie is accessed by the content, and the parent process should block that from happening for httpOnly cookies.)
Reporter | ||
Updated•12 years ago
|
We can't do this unfortunately.
The security checks that apply to CORS requests aren't done for things like <script> or <img> requests.
While we could flag channels coming from XHR and do security checks only on those, that doesn't really help security-wise since the attacker can simply claim to not be doing an XHR request.
I think this bug is WONTFIX or INVALID
blocking-basecamp: ? → -
Comment 3•12 years ago
|
||
> Ideally, we should ensure that cookie values and HTTP auth credentials are never sent into the child process.
Let's track those two fixes in bug 827853, and close this bug. Unless we can think of some way that XHR security for child requests will be different on the parent than the sec checks for regular HTTP requests (since the parent has to trust the child as to whether a given HTTP request is for XHR or not, I suspect the answer is no).
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
Updated•9 years ago
|
Group: core-security
Assignee | ||
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•