Closed
Bug 1068614
Opened 10 years ago
Closed 10 years ago
XrayResolveOwnProperty doesn't check if we're chrome before invoking XrayResolveUnforgeableProperty with nativeProperties.chromeOnly
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| firefox-esr31 | --- | unaffected |
People
(Reporter: bholley, Unassigned)
References
Details
(Keywords: sec-other)
I just came across http://hg.mozilla.org/mozilla-central/file/641d450532be/dom/bindings/BindingUtils.cpp#l1013 , which looks bad to me at first glance. Am I missing something?
|
Reporter | |
Updated•10 years ago
|
Flags: needinfo?(peterv)
|
||
Comment 1•10 years ago
|
||
Should be fine for now, we don't have unforgeable chrome-only APIs.
Flags: needinfo?(peterv)
|
||
Comment 2•10 years ago
|
||
I think I keep assuming Xrays means chrome... which it does, except for Location and Window. I agree, this should be fixed.
|
|
Reporter | |
Comment 3•10 years ago
|
||
(In reply to Boris Zbarsky [:bz] from comment #2) > I think I keep assuming Xrays means chrome... which it does, except for > Location and Window. No, that's not the issue - the issue is same-origin Xrays (wantXrays) and nsExpandedPrincipal, neither of which should have access to chrome-only APIs.
|
|
||
Comment 4•10 years ago
|
||
Oh, sandboxes, right. :(
|
|
Reporter | |
Comment 5•10 years ago
|
||
Looks like peter's patch in bug 787070 fixes this. We should verify once that lands.
Depends on: 787070
|
|
Reporter | |
Comment 6•10 years ago
|
||
This was fixed by bug 787070.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
|
||
Updated•10 years ago
|
status-firefox-esr31:
--- → unaffected
|
||
Updated•9 years ago
|
Group: core-security → core-security-release
|
||
Updated•8 years ago
|
Group: core-security-release
|
Assignee | |
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•