Closed
Bug 1083060
Opened 11 years ago
Closed 11 years ago
Stop using XOW handlers for everything but Window and Location
Categories
(Core :: XPConnect, defect)
Tracking
()
RESOLVED
FIXED
mozilla36
People
(Reporter: bholley, Assigned: bholley)
Details
Attachments
(2 files, 1 obsolete file)
2.86 KB,
patch
|
bzbarsky
:
review+
|
Details | Diff | Splinter Review |
5.18 KB,
patch
|
bzbarsky
:
review+
|
Details | Diff | Splinter Review |
An old quirk of XPConnect is that we we actually use the XOW handler for a wide variety of cases, and just rely on the filtering policy to make most things opaque. This works, but is kind of confusing, and we can do better from a defense-in-depth perspective.
This was confusing bz yesterday, which is reason enough to fix it now. Patches coming up.
Assignee | ||
Comment 2•11 years ago
|
||
Attachment #8505312 -
Flags: review?(bzbarsky)
Assignee | ||
Comment 3•11 years ago
|
||
Comment 4•11 years ago
|
||
Comment on attachment 8505311 [details] [diff] [review]
Part 1 - Refactor the XOW access control code to use an enum rather than a char*. v1
Review of attachment 8505311 [details] [diff] [review]:
-----------------------------------------------------------------
::: js/xpconnect/wrappers/AccessCheck.h
@@ +31,5 @@
> + CrossOriginWindow,
> + CrossOriginLocation,
> + CrossOriginOpaque
> +};
> +CrossOriginObjectType TypeForCrossOriginObject(JSObject *obj);
Looks like you changed this to IdentifyCrossOriginObject in the deinition.
Assignee | ||
Comment 5•11 years ago
|
||
(In reply to Bob Owen (:bobowen) from comment #4)
> Looks like you changed this to IdentifyCrossOriginObject in the deinition.
Doh. Unified fail.
Assignee | ||
Comment 6•11 years ago
|
||
Attachment #8505311 -
Attachment is obsolete: true
Attachment #8505311 -
Flags: review?(bzbarsky)
Attachment #8505341 -
Flags: review?(bzbarsky)
Assignee | ||
Comment 7•11 years ago
|
||
![]() |
||
Comment 8•11 years ago
|
||
Comment on attachment 8505312 [details] [diff] [review]
Part 2 - Only use the XOW policy for Window and Location. v1
What is IdentifyCrossOriginObject? I don't see it anywhere in the tree.
Do we really want to allow the OpaqueWithCall case when XrayForDOMObject? I would think not.
Flags: needinfo?(bobbyholley)
![]() |
||
Comment 9•11 years ago
|
||
Comment on attachment 8505312 [details] [diff] [review]
Part 2 - Only use the XOW policy for Window and Location. v1
> What is IdentifyCrossOriginObject?
Oh, its in the "later" part 1. OK.
r=me modulo the WithCall bit.
Attachment #8505312 -
Flags: review?(bzbarsky) → review+
![]() |
||
Comment 10•11 years ago
|
||
Comment on attachment 8505341 [details] [diff] [review]
Part 1 - Refactor the XOW access control code to use an enum rather than a char*. v2
r=me
Attachment #8505341 -
Flags: review?(bzbarsky) → review+
Flags: needinfo?(bobbyholley)
Assignee | ||
Comment 11•11 years ago
|
||
Comment 12•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/78f725c6441d
https://hg.mozilla.org/mozilla-central/rev/ba0373a2af17
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla36
You need to log in
before you can comment on or make changes to this bug.
Description
•