Closed
Bug 1491759
Opened 6 years ago
Closed 6 years ago
Remove eval from loadPrivilegedScript() in specialpowersAPI.js
Categories
(Core :: DOM: Security, enhancement, P2)
Core
DOM: Security
Tracking
()
RESOLVED
FIXED
mozilla64
Tracking | Status | |
---|---|---|
firefox64 | --- | fixed |
People
(Reporter: vinoth, Assigned: vinoth)
References
(Blocks 1 open bug)
Details
(Whiteboard: [domsecurity-active])
Attachments
(1 file)
As part of Bug 1473549, we are in the process of adding an assertion to make sure that eval() is not executed with system principal. Eval() has been used in loadPrivilegedScript() in specialpowersAPI.js, We need to remove this eval() and replace it with someother alternative.
Assignee | ||
Comment 1•6 years ago
|
||
Hi, Please see comment 1, It seems that this eval() (https://dxr.mozilla.org/mozilla-central/rev/7ed950e60f3c1f8a47c117c04124d31e94a66e32/testing/specialpowers/content/specialpowersAPI.js#520) is added as part of Bug 1260076 by you and please take a look at. Apparently we need to remove this eval from that function. Let me know you comments.
Flags: needinfo?(juhsu)
Updated•6 years ago
|
Whiteboard: [domsecurity-active]
Comment 2•6 years ago
|
||
AFAICT The goal is to load the chrome privileged script in the content process for testing, basically for Presentation API. I don't have a good idea how to replace it. If it's too hard and asserting |eval()| matters, you can disable the relative tests.
Flags: needinfo?(juhsu)
Assignee | ||
Comment 3•6 years ago
|
||
Assignee | ||
Comment 4•6 years ago
|
||
Comment on attachment 9015183 [details] Bug 1491759 - Replaced eval with loadSubScript from loadPrivilegedScript() in specialpowersAPI.js I have replaced eval() with loadsubscript(). Please kindly review the patch and let me know if changes are needed. Try server push for this change is, https://treeherder.mozilla.org/#/jobs?repo=try&revision=eb7603d26895cd46f58bca4ae69fb4c291d6f37c
Attachment #9015183 -
Flags: review?(juhsu)
Updated•6 years ago
|
Attachment #9015183 -
Flags: review?(juhsu) → review+
Assignee | ||
Updated•6 years ago
|
Keywords: checkin-needed
Pushed by ebalazs@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/1bae9022b97e Replaced eval with loadSubScript from loadPrivilegedScript() in specialpowersAPI.js r=JuniorHsu
Keywords: checkin-needed
Comment 6•6 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/1bae9022b97e
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
status-firefox64:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla64
You need to log in
before you can comment on or make changes to this bug.
Description
•