Closed
Bug 901538
Opened 11 years ago
Closed 7 years ago
Usage of privileged XMLHttpRequest could be downgraded
Categories
(Firefox OS Graveyard :: Gaia::E-Mail, defect)
Firefox OS Graveyard
Gaia::E-Mail
Tracking
(blocking-b2g:-)
RESOLVED
WONTFIX
blocking-b2g | - |
People
(Reporter: freddy, Unassigned)
References
Details
(Keywords: sec-other, wsec-session)
The app is making use of the XMLHttpRequest object with the mozSystem extension that allows cross-origin requests.
it's probably better to use it only when necessary and make them explicitly anonymous (mozAnon: true).
We are also using it to requests towards the autoconfig and MX resolution bits, which are our own property. I see no reason not to allow CORS for these properties and use non-privileged XHR here.
These codepieces use the privileged XHR:
./js/ext/mailapi/worker-bootstrap.js:1382
./js/ext/mailapi/worker-bootstrap.js:13994
./js/ext/mailapi/activesync/protocollayer.js:2529 (anon)
./js/ext/mailapi/activesync/protocollayer.js:2747 (anon)
./js/ext/mailapi/activesync/protocollayer.js:2897 (anon)
./js/text.js:4: (non-priv)
./js/tmpl_builder.js:62: (non-priv)
Updated•11 years ago
|
blocking-b2g: --- → koi?
Comment 2•7 years ago
|
||
Firefox OS is not being worked on
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•