Closed
Bug 1204703
Opened 9 years ago
Closed 9 years ago
Make nsContentSecurityManager scriptable and add security checks to nsIChannel implementation in JS
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
FIXED
mozilla43
Tracking | Status | |
---|---|---|
firefox43 | --- | fixed |
People
(Reporter: ckerschb, Assigned: ckerschb)
References
Details
Attachments
(3 files, 3 obsolete files)
10.40 KB,
patch
|
ckerschb
:
review+
|
Details | Diff | Splinter Review |
3.71 KB,
patch
|
sicking
:
review+
|
Details | Diff | Splinter Review |
6.61 KB,
patch
|
sicking
:
review+
|
Details | Diff | Splinter Review |
No description provided.
Assignee | ||
Updated•9 years ago
|
Summary: Add asyncOpen2 to JS implementation of nsIChannel → Make nsContentSecurityManager scriptable and add security checks to nsIChannel implementation in JS
Assignee | ||
Comment 1•9 years ago
|
||
Attachment #8661532 -
Flags: review?(jonas)
Assignee | ||
Comment 2•9 years ago
|
||
Attachment #8661533 -
Flags: review?(jonas)
Assignee | ||
Comment 3•9 years ago
|
||
Attachment #8661535 -
Flags: review?(jonas)
Comment on attachment 8661532 [details] [diff] [review] bug_1143922_make_contentsecuritymanager_scriptable.patch Review of attachment 8661532 [details] [diff] [review]: ----------------------------------------------------------------- r=me with that fixed. ::: dom/interfaces/security/nsIContentSecurityManager.idl @@ +32,5 @@ > + * Whether or not the channel should be openend or not. > + */ > + bool performSecurityCheck(in nsIChannel aChannel, > + in nsIStreamListener aStreamListener, > + out nsIStreamListener outStreamListener); I would say just return the new streamlistener rather than use an out-argument. You can still throw an exception if the security checks fail.
Attachment #8661532 -
Flags: review?(jonas) → review+
Comment on attachment 8661533 [details] [diff] [review] bug_1143922_toolit_and_b2g.patch Review of attachment 8661533 [details] [diff] [review]: ----------------------------------------------------------------- ::: b2g/components/ActivityChannel.jsm @@ +57,5 @@ > asyncOpen2: function(aListener) { > + var outListener = {}; > + var allowed = contentSecManager.performSecurityCheck(this, aListener, outListener); > + if (!allowed) { > + return Cr.NS_ERROR_CONTENT_BLOCKED; You don't want to return an error code here. You want to throw one. Returning an error in C++ maps to throwing an exception in JS. ::: toolkit/components/addoncompat/RemoteAddonsChild.jsm @@ +281,5 @@ > + asyncOpen2: function(listener) { > + var outListener = {}; > + var allowed = contentSecManager.performSecurityCheck(this, aListener, outListener); > + if (!allowed) { > + return Cr.NS_ERROR_CONTENT_BLOCKED; Same here.
Attachment #8661533 -
Flags: review?(jonas) → review-
Comment on attachment 8661535 [details] [diff] [review] bug_1143922_test_updates.patch Review of attachment 8661535 [details] [diff] [review]: ----------------------------------------------------------------- Here too
Attachment #8661535 -
Flags: review?(jonas) → review-
Assignee | ||
Comment 7•9 years ago
|
||
Agreed, lets return a streamListener instead of using an out-argument. Carrying over r+ from Jonas.
Attachment #8661532 -
Attachment is obsolete: true
Attachment #8661533 -
Attachment is obsolete: true
Attachment #8661535 -
Attachment is obsolete: true
Attachment #8662656 -
Flags: review+
Assignee | ||
Comment 8•9 years ago
|
||
Attachment #8662657 -
Flags: review?(jonas)
Assignee | ||
Comment 9•9 years ago
|
||
Attachment #8662659 -
Flags: review?(jonas)
Attachment #8662657 -
Flags: review?(jonas) → review+
Attachment #8662659 -
Flags: review?(jonas) → review+
These patches landed with the wrong bug number (1143922): https://hg.mozilla.org/integration/mozilla-inbound/rev/977d5b7ecba3 https://hg.mozilla.org/integration/mozilla-inbound/rev/deda472458fd https://hg.mozilla.org/integration/mozilla-inbound/rev/309b4d1ab81c Backed those three out in: remote: https://hg.mozilla.org/integration/mozilla-inbound/rev/c2a2e73b931f ...and relanded with the right numbers: remote: https://hg.mozilla.org/integration/mozilla-inbound/rev/4a5adeb6e823 remote: https://hg.mozilla.org/integration/mozilla-inbound/rev/2b6f2b470f95 remote: https://hg.mozilla.org/integration/mozilla-inbound/rev/9f7b7ab7dc1f
Comment 11•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/4a5adeb6e823 https://hg.mozilla.org/mozilla-central/rev/2b6f2b470f95 https://hg.mozilla.org/mozilla-central/rev/9f7b7ab7dc1f
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox43:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla43
Comment 12•9 years ago
|
||
> 2.25 + * whether the channel should be openend or should be blocked consulting
"opened"?
Flags: needinfo?(mozilla)
Assignee | ||
Comment 13•9 years ago
|
||
(In reply to Boris Zbarsky [:bz] from comment #12) > > 2.25 + * whether the channel should be openend or should be blocked consulting > > "opened"? Indeed, will get that updated. Thanks for pointing it out.
Flags: needinfo?(mozilla)
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•