282615 - DOMSerializer's security checks don't take capabilities into account.

Status: RESOLVED FIXED

(Core :: DOM: Serializers, defect)

Description

[Johnny Stenback (:jst)]

Currently it's impossible to serialize a DOM node from a different domain even
if you enable "UniversalBrowserRead", the nsDOMSerializer code needs to check if
that capability is enabled. Patch coming up.

Comment 1

[Johnny Stenback (:jst)]

Attachment: Fix.

Comment 2

[Johnny Stenback (:jst)]

Attachment: Fix (diff -w for reviews)

Comment 3

[Boris Zbarsky [:bzbarsky]]

Comment on attachment 174606 [details] [diff] [review]
Fix (diff -w for reviews)

sr=bzbarsky

Comment 4

[Jonas Sicking (:sicking) No longer reading bugmail consistently]

Couldn't you call nsContentUtils::CanCallerAccess

Comment 5

[Johnny Stenback (:jst)]

That's in the wrong library, not reachable from the nsDOMSerializer code.

Comment 6

[Jonas Sicking (:sicking) No longer reading bugmail consistently]

Comment on attachment 174606 [details] [diff] [review]
Fix (diff -w for reviews)


>     nsCOMPtr<nsIDOMDocument> owner_doc(do_QueryInterface(aRoot));
> 
>     if (!owner_doc) {
>       aRoot->GetOwnerDocument(getter_AddRefs(owner_doc));
>     }
> 
>     nsCOMPtr<nsIDocument> doc(do_QueryInterface(owner_doc));

You didn't change this, but would you mind fixing the double-QI here for the
case when aRoot is a document?

You also need to check that the passed in node is an nsIContent or
nsIAttribute. Otherwise someone might pass in a js-object with a foregin node
as "child". Requesting new patch just to be no the safe side since this is
security and all that.

We desperatly need to move this stuff to the securitymanager.

Comment 7

[Johnny Stenback (:jst)]

Attachment: Updated fix.

Comment 8

[Johnny Stenback (:jst)]

Attachment: Updated fix (diff -w)

Comment 9

[Boris Zbarsky [:bzbarsky]]

Comment on attachment 174778 [details] [diff] [review]
Updated fix (diff -w)

sr=bzbarsky

Comment 10

[Johnny Stenback (:jst)]

Fixed.