Closed Bug 37333 Opened 24 years ago Closed 12 years ago

Implement 4.X signed script syntax

Categories

(Core :: Security, defect, P3)

Product:
Core
Component:
Security
Platform:
x86
Linux
Type:
defect

Tracking

()

Status:
RESOLVED INVALID
Milestone:
Future

People

(Reporter: security-bugs, Assigned: dveditz)

References

Details

(Whiteboard: relnote-devel) 

Implement full backwards compatibility for signed scripts, with <SCRIPT ARCHIVE=
> and ID= tags.
Setting target M16...hopefully this will get into PR2.
Status: NEW → ASSIGNED
Keywords: nsbeta2
Target Milestone: --- → M16
[nsbeta2+]
Whiteboard: [nsbeta2+ until 5/16]
*** Bug 37481 has been marked as a duplicate of this bug. ***
*** Bug 38851 has been marked as a duplicate of this bug. ***
I have implemented a solution for this as regards SCRIPT tags. The sticking point 
is with event handlers. Verifying signatures on event handlers will require a 
change to the parser by rickg (need access to the unmodified html source of tags 
containing event handlers in the HTML content sink). Adding 'waiting on 
dependency' to the whiteboard. his will proably not get dome by 5/16 but I think 
it's important enough to allow checking in later.
Whiteboard: [nsbeta2+ until 5/16] → [nsbeta2+ until 5/16] waiting on dependency.
Changed QA contact to Cathy.
QA Contact: junruh → czhang
mstoltz, is there a short cut that loses functionality, but gives us security?
Whiteboard: [nsbeta2+ until 5/16] waiting on dependency. → [NEED INFO] waiting on dependency.
Jan,
   Signed scripts are currently working using pages accessed from archives using
jar:http://... I just don't think too many people will want to use it this way
since it means keeping a separate copy of your HTML page in a jar file. Full
backwards compatibility is waiting on rickg's changes. I have emailed him but
with no response. Without his changes, I could make it so that scripts in
<SCRIPT> tags could be signed, but not event handlers. Event handlers are in
pretty common use, so this would be pretty limiting to functionality. I'd really
like to get full functionality into beta2 - rickg said it would be approved by
exception after his changes are in, and I would only require a day or two of
coding once his changes are in.
Depends on: 41261
I'm looking into this; I'll contact mstolz.
I've spoken with mstoltz, and we've agreed to break the problem up into tasks 
that we'll examine over the weekend. We further agreed to discuss the problem 
further (based on our tasks) on Monday.

I'm doing some engineering work today/tonight that may resolve this. We've 
agreed to get in contact on Thursday.
Whiteboard: [NEED INFO] waiting on dependency. → Looking for easy kill...
Putting on [nsbeta2+] radar for beta2 fix.
Whiteboard: Looking for easy kill... → [nsbeta2+]Looking for easy kill...
Moving to M17. Not an M16 stopper.
Target Milestone: M16 → M17
We've decided that implementing full backwards compatibility is too difficult in 
relation to the current demand for signed scripts, which is probably low. 
Retargeting "Future"...maybe we'll reconsider this for 6.1.
Keywords: nsbeta2
Whiteboard: [nsbeta2+]Looking for easy kill... → .
Target Milestone: M17 → Future
Assigning QA to czhang
Need to put the workaround in the PR2 release notes for developers.
Keywords: relnote2
Whiteboard: .
Keywords: relnote2relnote
Whiteboard: relnote-devel
The full explanation for this relnote is in 
http://www.mozilla.org/projects/security/components/jssec.html 
and can probably be summarized.
QA Contact: czhang → junruh
Mass changing QA to ckritzer.
QA Contact: junruh → ckritzer
*** Bug 59982 has been marked as a duplicate of this bug. ***
Removing myself from the list of cc's.
Nominating for nsbeta1 consideration. NS will presumably want to get this fixed 
at some point for backward compatibility & to ease forward migration of 
customers, especially enterprise users, so would be good if it could get done 
for nsbeta1. If not, this could slip to the next major release as the # of 
users affected is indeed low.
Keywords: nsbeta1
Mass adding mozilla0.9 keyword (mass changing milestone doesn't seem to work).
Keywords: mozilla0.9
Target Milestone: Future → mozilla1.0
Target Milestone: mozilla1.0 → mozilla0.9.2
Target Milestone: mozilla0.9.2 → mozilla1.0
Blocks: 104166
performance, footprint, feature work, and re-architecture bugs will be addressed
in 0.9.8
Target Milestone: mozilla1.0 → mozilla0.9.8
Future
Target Milestone: mozilla0.9.8 → Future
Hello
It seems that this code can't run in this new version, neither signing code aply:
:
<SCRIPT archive="/Sms/Comunes/link/general.jar" language="JavaScript1.2"
src="/Sms/Comunes/link/general.js"></SCRIPT>

Can you help me (It's works in a 4.73 version).It's very critical because i can
modify locationbar.visible, etc...of anyway
Tankyou
	netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserWrite");
	self.menubar.visible=false;
	self.toolbar.visible=false;
	self.locationbar.visible=false;
	self.location.visible=false;
	self.personalbar.visible=false;
	self.scrollbars.visible=false;
	self.statusbar.visible=true;
	self.resizable=false;

	self.resizeTo(500,400);
	netscape.security.PrivilegeManager.disablePrivilege("UniversalBrowserWrite");

Thank youso much	

Manuel Ruiz Camacho
Comunicaciones
C/ Velazquez 132, Bloque II - 2ª Planta
28006 - Madrid (ESPAÑA)
Tel:  +34 91 348.12.96
Fax: +34 91 348.11.12
mrcamacho@indra.es
http://www.indra.es
Status: ASSIGNED → NEW
QA Contact: ckritzer → bsharma
NS6 and now NS7 also does not support the NS 4.x following signed-script policy.
<SCRIPT language="JavaScript1.2" archive="xyz.jar"  src="xyz.js"></SCRIPT>

This critical defect is breaking NS 6/7 from past 3 years. We would like 
archive option back in Script tag to support the signed scripts.
*** Bug 143289 has been marked as a duplicate of this bug. ***
NS 7.1 does not support the NS 4.x following signed-script policy.
<SCRIPT language="JavaScript" archive="a.jar"  src="a.js"></SCRIPT>

This critical defect is breaking NS 7.1 forever. Please add archive option back 
in Script tag to support the signed scripts.

vinay,

it is highly unlikely that this feature will be implemented anytime soon by the
folks who were previously involved with this bug since they are no longer
working on mozilla with any regular frequency.

if this feature is important to you or your company please bring it to the
attention of the Mozilla Foundation (mailto:drivers@mozilla.org).  this is the
best way to escalate a feature request, especially if it is critical to the
deployment of mozilla in your organization.

thank you,
darin
In the current circonstances, it doesn't seem likely support for this will be
added. Mozilla.org has already too many urgent bugs to solve.

A more reasonnable option for anyone bloqued by this problem would be to change
the way you are working to use instead the newer method for Mozilla to access
the signed script :
http://www.mozilla.org/projects/security/components/jssec.html#signedscript

It might be annoying, but if you just wait for this to change, you risk to be
waiting and missing the multiple progresses of mozilla over Netscape 4.x a very
long time yet.
Keywords: relnote
Assignee: security-bugs → dveditz
QA Contact: bsharma → toolkit
Now we don't support signed scripts at all.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.