Closed
Bug 1030997
Opened 11 years ago
Closed 11 years ago
nsFrameMessageManager does not reconstruct principal object on receiveMessage
Categories
(Core :: DOM: Content Processes, defect)
Tracking
()
RESOLVED
FIXED
mozilla34
People
(Reporter: qdot, Assigned: baku)
References
Details
Attachments
(1 file)
|
2.44 KB,
patch
|
smaug
:
review+
|
Details | Diff | Splinter Review |
When sending a principal as an argument in sendAsyncMessage via a MessageManager in content, the corresponding ReceiveMessage call in parent does not reconstruct the principal object. Instead, it just creates a javascript object with the appid/uri/etc.
Not sure if we just need to add a QueryInterface set to this or if it will be more involved.
|
Assignee | |
Comment 1•11 years ago
|
||
Smaug, can we expose nsIPrincipal here in this way? Tests pass but maybe you don't like it.
Attachment #8467757 -
Flags: review?(bugs)
|
||
Comment 2•11 years ago
|
||
Well, wasn't the idea that since we can't trust that principal to be right anyway (since it is coming from the child process), we'd just use a fake principal-like thing.
|
|
||
Updated•11 years ago
|
Attachment #8467757 -
Flags: review?(bugs)
|
|
||
Comment 3•11 years ago
|
||
Kyle, why would we need a real nsIPrincipal object? And how would it be used. It should be effectively
a null principal in chrome process, I think.
Flags: needinfo?(kyle)
|
|
||
Comment 4•11 years ago
|
||
Comment on attachment 8467757 [details] [diff] [review]
principal.patch
Hmm, or maybe we have strong enough runtime assertions to make sure this is fine.
Attachment #8467757 -
Flags: review?(bugs)
|
|
Assignee | |
Comment 5•11 years ago
|
||
(In reply to Olli Pettay [:smaug] from comment #2)
> Well, wasn't the idea that since we can't trust that principal to be right
> anyway (since it is coming from the child process), we'd just use a fake
> principal-like thing.
Sharing a full nsIPrincipal object should not be a security issue for what I can see.
But maybe I'm wrong...
|
|
||
Comment 6•11 years ago
|
||
Comment on attachment 8467757 [details] [diff] [review]
principal.patch
Add a check for the return value of nsContentUtils::WrapNative.
And looks like this could be fine. We don't serialize system principal ever, so
at least we can't get that kind of powerful principals from child, and
we have the assertions which kill the child process when needed.
Attachment #8467757 -
Flags: review?(bugs) → review+
|
|
||
Comment 7•11 years ago
|
||
Comment on attachment 8467757 [details] [diff] [review]
principal.patch
Or, hmm, the assertions aren't very strict.
I wonder why.
Attachment #8467757 -
Flags: review+ → review?(bugs)
|
|
||
Comment 8•11 years ago
|
||
Comment on attachment 8467757 [details] [diff] [review]
principal.patch
But I guess we should can't have origin checks, and need to rely on appid.
Attachment #8467757 -
Flags: review?(bugs) → review+
|
|
||
Updated•11 years ago
|
Flags: needinfo?(kyle)
|
|
Assignee | |
Comment 9•11 years ago
|
||
Keywords: checkin-needed
|
||
Comment 10•11 years ago
|
||
Assignee: nobody → amarchesini
Keywords: checkin-needed
|
||
Comment 11•11 years ago
|
||
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla34
You need to log in
before you can comment on or make changes to this bug.
Description
•