Closed
Bug 296902
Opened 19 years ago
Closed 19 years ago
Check whether XPCNativeWrapper needs security checks
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
VERIFIED
FIXED
People
(Reporter: bzbarsky, Unassigned)
References
Details
We have various same-origin type security checks in DOMClassInfo that I don't see happening in XPCNativeWrapper. Since content can manually construct XPCNativeWrapper objects, perhaps we need some checks? Note that I haven't managed to actually produce an XSS exploit yet, so maybe we're OK; I just can't figure out _why_ exceptions are getting thrown when they are.
Comment 1•19 years ago
|
||
Maybe shutdown or moz_bug_r_a4 could turn this into an exploit
Comment 2•19 years ago
|
||
Someone remind me of the other bug bz filed, asking for XPCNativeWrapper to call the scriptable helper hooks, for hi-fi DOM level 0 emulation. /be
(In reply to comment #1) > Maybe shutdown or moz_bug_r_a4 could turn this into an exploit I've filed bug 299450. please check.
Reporter | ||
Updated•19 years ago
|
Flags: blocking1.8b4?
Comment 5•19 years ago
|
||
This is fixed now that its dependencies are fixed. bz can verify next week. /be
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Comment 6•19 years ago
|
||
If this gets reopened, we probably need to see it on the blocker list.
Flags: blocking1.8b4? → blocking1.8b4+
Reporter | ||
Comment 7•19 years ago
|
||
Yeah, I think with the dependencies fixed this is all good.
Status: RESOLVED → VERIFIED
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•