Closed
Bug 1083060
Opened 9 years ago
Closed 9 years ago
Stop using XOW handlers for everything but Window and Location
Categories
(Core :: XPConnect, defect)
Tracking
()
RESOLVED
FIXED
mozilla36
People
(Reporter: bholley, Assigned: bholley)
Details
Attachments
(2 files, 1 obsolete file)
2.86 KB,
patch
|
bzbarsky
:
review+
|
Details | Diff | Splinter Review |
5.18 KB,
patch
|
bzbarsky
:
review+
|
Details | Diff | Splinter Review |
An old quirk of XPConnect is that we we actually use the XOW handler for a wide variety of cases, and just rely on the filtering policy to make most things opaque. This works, but is kind of confusing, and we can do better from a defense-in-depth perspective. This was confusing bz yesterday, which is reason enough to fix it now. Patches coming up.
Assignee | ||
Comment 2•9 years ago
|
||
Attachment #8505312 -
Flags: review?(bzbarsky)
Assignee | ||
Comment 3•9 years ago
|
||
https://treeherder.mozilla.org/ui/#/jobs?repo=try&revision=56ca0d2e60ee
Comment 4•9 years ago
|
||
Comment on attachment 8505311 [details] [diff] [review] Part 1 - Refactor the XOW access control code to use an enum rather than a char*. v1 Review of attachment 8505311 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/xpconnect/wrappers/AccessCheck.h @@ +31,5 @@ > + CrossOriginWindow, > + CrossOriginLocation, > + CrossOriginOpaque > +}; > +CrossOriginObjectType TypeForCrossOriginObject(JSObject *obj); Looks like you changed this to IdentifyCrossOriginObject in the deinition.
Assignee | ||
Comment 5•9 years ago
|
||
(In reply to Bob Owen (:bobowen) from comment #4) > Looks like you changed this to IdentifyCrossOriginObject in the deinition. Doh. Unified fail.
Assignee | ||
Comment 6•9 years ago
|
||
Attachment #8505311 -
Attachment is obsolete: true
Attachment #8505311 -
Flags: review?(bzbarsky)
Attachment #8505341 -
Flags: review?(bzbarsky)
Assignee | ||
Comment 7•9 years ago
|
||
https://treeherder.mozilla.org/ui/#/jobs?repo=try&revision=bf4a7efd1a20
![]() |
||
Comment 8•9 years ago
|
||
Comment on attachment 8505312 [details] [diff] [review] Part 2 - Only use the XOW policy for Window and Location. v1 What is IdentifyCrossOriginObject? I don't see it anywhere in the tree. Do we really want to allow the OpaqueWithCall case when XrayForDOMObject? I would think not.
Flags: needinfo?(bobbyholley)
![]() |
||
Comment 9•9 years ago
|
||
Comment on attachment 8505312 [details] [diff] [review] Part 2 - Only use the XOW policy for Window and Location. v1 > What is IdentifyCrossOriginObject? Oh, its in the "later" part 1. OK. r=me modulo the WithCall bit.
Attachment #8505312 -
Flags: review?(bzbarsky) → review+
![]() |
||
Comment 10•9 years ago
|
||
Comment on attachment 8505341 [details] [diff] [review] Part 1 - Refactor the XOW access control code to use an enum rather than a char*. v2 r=me
Attachment #8505341 -
Flags: review?(bzbarsky) → review+
Flags: needinfo?(bobbyholley)
Assignee | ||
Comment 11•9 years ago
|
||
remote: https://hg.mozilla.org/integration/mozilla-inbound/rev/78f725c6441d remote: https://hg.mozilla.org/integration/mozilla-inbound/rev/ba0373a2af17
Comment 12•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/78f725c6441d https://hg.mozilla.org/mozilla-central/rev/ba0373a2af17
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla36
You need to log in
before you can comment on or make changes to this bug.
Description
•