Open
Bug 1163753
Opened 9 years ago
Updated 10 months ago
See if we can remove the special case for resource:// workers needing the system principal
Categories
(Core :: DOM: Workers, task, P5)
Tracking
()
NEW
People
(Reporter: bent.mozilla, Unassigned)
References
Details
(Keywords: sec-other, sec-want)
See bug 1163109. We have a special case for resource:// workers loaded with the system principal where we give those workers the system principal so that they can do cross-site xhr. Maybe we don't need to do that any more?
|
||
Comment 1•9 years ago
|
||
I doubt I have the full context, but content with the "systemXHR" permission can use the mozSystem non-standard option to XHR: https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest#Non-standard_properties
|
||
Comment 2•9 years ago
|
||
I'm marking this sec-other because it sounds like there's no known security issue with this code.
|
||
Updated•9 years ago
|
Group: core-security → dom-core-security
|
||
Comment 3•9 years ago
|
||
Jonas, what _is_ our exact security model for this stuff? Our worker security model still doesn't make sense to me....
Flags: needinfo?(jonas)
I don't remember our rules for chrome workers. They are mostly there to make it harder for chrome code to XSS itself. I.e. it's there for similar reasons that we don't let data: URLs inherit chrome principals. IIRC dveditz had stronger opinions than I did about what exact rules we should have. Also, is there a reason we need to keep this bug closed?
Flags: needinfo?(jonas)
|
|
||
Comment 5•9 years ago
|
||
> Also, is there a reason we need to keep this bug closed?
I don't see one offhand.|
|
||
Updated•9 years ago
|
Group: dom-core-security
|
||
Updated•6 years ago
|
Priority: -- → P5
|
||
Updated•4 years ago
|
Flags: needinfo?(bugmail)
|
|
||
Updated•4 years ago
|
Severity: normal → --
Type: defect → task
|
|
||
Updated•4 years ago
|
Severity: -- → S4
|
|
||
Comment 6•1 year ago
|
||
ScriptLoader.cpp seems to have changed heavily since bug 1163109 landed (I cannot identify any of that patch anymore). :smaug, as you were involved on the other bug back then, do you have a feeling if this bug here is still an issue?
Flags: needinfo?(bugmail) → needinfo?(smaug)
|
||
Comment 7•1 year ago
|
||
https://searchfox.org/mozilla-central/rev/5c922d8b93b43c18bf65539bfc72a30f84989003/dom/workers/WorkerLoadInfo.cpp#211,218-219
But the behavior is maybe reasonable.
Flags: needinfo?(smaug)
You need to log in
before you can comment on or make changes to this bug.
Description
•