Closed
Bug 157574
Opened 23 years ago
Closed 23 years ago
transformDocument needs same origin check
Categories
(Core :: XSLT, defect)
Core
XSLT
Tracking
()
VERIFIED
FIXED
People
(Reporter: hjtoi-bugzilla, Assigned: peterv)
Details
(Whiteboard: [ADT2 RTM])
From Jonas Sicking:
It is now possible to copy a document from another domain in js by doing
proc = new XSLTProcessor;
proc.transformDocument(otherDomainDoc,
myIdentityTransformation,
myResult,
null);
where 'myIdentityTransformation' is a XSLT stylesheet performing a
copy-transformation and 'otherDomainDoc' is a document from another domain.
Not sure if it is possible to simply walk the myResult document after this, but
it is at least possible to set up a treewalker before doing the above call and
then walking the document. It is probably also possible to set up mutationevent
listeners and get notifyed about all content that is inserted.
The way to fix this is to have a same-origin check for the source and stylesheet
documents in XSLTProcessor::TransformDocument so that this can only be done on
documents in the same origin as the current JS-context (if there is one)
|
Assignee | |
Comment 1•23 years ago
|
||
I don't understand, you have a document (that you have access to), you copy it
with a transformation into a document (that you have access to) and ...? You can
just write a JS function to do exactly the same thing?
The problem is that you can access the document-node of documents of other
origins. This is neded for code such as
myIFrame.contentDocument.location = "http://..."
|
|
Assignee | |
Comment 3•23 years ago
|
||
The checkin for bug 155504 fixed this, right?
|
|
Assignee | |
Comment 4•23 years ago
|
||
er, bug 156452 is what I meant.
yep
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
|
||
Updated•23 years ago
|
Group: security
You need to log in
before you can comment on or make changes to this bug.
Description
•