Closed
Bug 37333
Opened 24 years ago
Closed 12 years ago
Implement 4.X signed script syntax
Categories
(Core :: Security, defect, P3)
Tracking
()
RESOLVED
INVALID
Future
People
(Reporter: security-bugs, Assigned: dveditz)
References
Details
(Whiteboard: relnote-devel)
Implement full backwards compatibility for signed scripts, with <SCRIPT ARCHIVE=
> and ID= tags.
Reporter | ||
Comment 1•24 years ago
|
||
Setting target M16...hopefully this will get into PR2.
Reporter | ||
Comment 5•24 years ago
|
||
I have implemented a solution for this as regards SCRIPT tags. The sticking point is with event handlers. Verifying signatures on event handlers will require a change to the parser by rickg (need access to the unmodified html source of tags containing event handlers in the HTML content sink). Adding 'waiting on dependency' to the whiteboard. his will proably not get dome by 5/16 but I think it's important enough to allow checking in later.
Whiteboard: [nsbeta2+ until 5/16] → [nsbeta2+ until 5/16] waiting on dependency.
mstoltz, is there a short cut that loses functionality, but gives us security?
Whiteboard: [nsbeta2+ until 5/16] waiting on dependency. → [NEED INFO] waiting on dependency.
Reporter | ||
Comment 8•24 years ago
|
||
Jan, Signed scripts are currently working using pages accessed from archives using jar:http://... I just don't think too many people will want to use it this way since it means keeping a separate copy of your HTML page in a jar file. Full backwards compatibility is waiting on rickg's changes. I have emailed him but with no response. Without his changes, I could make it so that scripts in <SCRIPT> tags could be signed, but not event handlers. Event handlers are in pretty common use, so this would be pretty limiting to functionality. I'd really like to get full functionality into beta2 - rickg said it would be approved by exception after his changes are in, and I would only require a day or two of coding once his changes are in.
Comment 10•24 years ago
|
||
I've spoken with mstoltz, and we've agreed to break the problem up into tasks that we'll examine over the weekend. We further agreed to discuss the problem further (based on our tasks) on Monday.
Comment 11•24 years ago
|
||
I'm doing some engineering work today/tonight that may resolve this. We've agreed to get in contact on Thursday.
Whiteboard: [NEED INFO] waiting on dependency. → Looking for easy kill...
Comment 12•24 years ago
|
||
Putting on [nsbeta2+] radar for beta2 fix.
Whiteboard: Looking for easy kill... → [nsbeta2+]Looking for easy kill...
Reporter | ||
Comment 14•24 years ago
|
||
We've decided that implementing full backwards compatibility is too difficult in relation to the current demand for signed scripts, which is probably low. Retargeting "Future"...maybe we'll reconsider this for 6.1.
Comment 15•24 years ago
|
||
Assigning QA to czhang
Comment 16•24 years ago
|
||
Need to put the workaround in the PR2 release notes for developers.
Keywords: relnote2
Whiteboard: .
Updated•24 years ago
|
Reporter | ||
Comment 17•24 years ago
|
||
The full explanation for this relnote is in http://www.mozilla.org/projects/security/components/jssec.html and can probably be summarized.
Updated•24 years ago
|
QA Contact: czhang → junruh
Reporter | ||
Comment 19•24 years ago
|
||
*** Bug 59982 has been marked as a duplicate of this bug. ***
Comment 20•24 years ago
|
||
Removing myself from the list of cc's.
Comment 21•24 years ago
|
||
Nominating for nsbeta1 consideration. NS will presumably want to get this fixed at some point for backward compatibility & to ease forward migration of customers, especially enterprise users, so would be good if it could get done for nsbeta1. If not, this could slip to the next major release as the # of users affected is indeed low.
Keywords: nsbeta1
Reporter | ||
Comment 22•24 years ago
|
||
Mass adding mozilla0.9 keyword (mass changing milestone doesn't seem to work).
Keywords: mozilla0.9
Reporter | ||
Updated•24 years ago
|
Target Milestone: Future → mozilla1.0
Reporter | ||
Updated•23 years ago
|
Target Milestone: mozilla1.0 → mozilla0.9.2
Reporter | ||
Updated•23 years ago
|
Target Milestone: mozilla0.9.2 → mozilla1.0
Reporter | ||
Comment 23•23 years ago
|
||
performance, footprint, feature work, and re-architecture bugs will be addressed in 0.9.8
Target Milestone: mozilla1.0 → mozilla0.9.8
Comment 25•23 years ago
|
||
Hello It seems that this code can't run in this new version, neither signing code aply: : <SCRIPT archive="/Sms/Comunes/link/general.jar" language="JavaScript1.2" src="/Sms/Comunes/link/general.js"></SCRIPT> Can you help me (It's works in a 4.73 version).It's very critical because i can modify locationbar.visible, etc...of anyway Tankyou netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserWrite"); self.menubar.visible=false; self.toolbar.visible=false; self.locationbar.visible=false; self.location.visible=false; self.personalbar.visible=false; self.scrollbars.visible=false; self.statusbar.visible=true; self.resizable=false; self.resizeTo(500,400); netscape.security.PrivilegeManager.disablePrivilege("UniversalBrowserWrite"); Thank youso much Manuel Ruiz Camacho Comunicaciones C/ Velazquez 132, Bloque II - 2ª Planta 28006 - Madrid (ESPAÑA) Tel: +34 91 348.12.96 Fax: +34 91 348.11.12 mrcamacho@indra.es http://www.indra.es
Status: ASSIGNED → NEW
QA Contact: ckritzer → bsharma
Comment 26•21 years ago
|
||
NS6 and now NS7 also does not support the NS 4.x following signed-script policy. <SCRIPT language="JavaScript1.2" archive="xyz.jar" src="xyz.js"></SCRIPT> This critical defect is breaking NS 6/7 from past 3 years. We would like archive option back in Script tag to support the signed scripts.
Reporter | ||
Comment 27•21 years ago
|
||
*** Bug 143289 has been marked as a duplicate of this bug. ***
Comment 28•21 years ago
|
||
NS 7.1 does not support the NS 4.x following signed-script policy. <SCRIPT language="JavaScript" archive="a.jar" src="a.js"></SCRIPT> This critical defect is breaking NS 7.1 forever. Please add archive option back in Script tag to support the signed scripts.
Comment 29•21 years ago
|
||
vinay, it is highly unlikely that this feature will be implemented anytime soon by the folks who were previously involved with this bug since they are no longer working on mozilla with any regular frequency. if this feature is important to you or your company please bring it to the attention of the Mozilla Foundation (mailto:drivers@mozilla.org). this is the best way to escalate a feature request, especially if it is critical to the deployment of mozilla in your organization. thank you, darin
Comment 30•21 years ago
|
||
In the current circonstances, it doesn't seem likely support for this will be added. Mozilla.org has already too many urgent bugs to solve. A more reasonnable option for anyone bloqued by this problem would be to change the way you are working to use instead the newer method for Mozilla to access the signed script : http://www.mozilla.org/projects/security/components/jssec.html#signedscript It might be annoying, but if you just wait for this to change, you risk to be waiting and missing the multiple progresses of mozilla over Netscape 4.x a very long time yet.
Assignee | ||
Updated•18 years ago
|
Assignee: security-bugs → dveditz
QA Contact: bsharma → toolkit
Comment 31•12 years ago
|
||
Now we don't support signed scripts at all.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•