Closed
Bug 1232430
Opened 9 years ago
Closed 8 years ago
[tracking bug] Convert JS callsites to use asyncOpen2 within dom/
Categories
(Core :: DOM: Security, defect)
Core
DOM: Security
Tracking
()
RESOLVED
FIXED
People
(Reporter: ckerschb, Unassigned)
References
Details
(Keywords: meta, Whiteboard: [domsecurity-meta])
Attachments
(1 obsolete file)
No description provided.
Reporter | ||
Updated•9 years ago
|
Reporter | ||
Updated•9 years ago
|
Summary: Convert JS callsites to use asyncOpen2 within dom/ (r=sicking) → Convert JS callsites to use asyncOpen2 within dom/
Reporter | ||
Comment 1•9 years ago
|
||
We are about to convert all callsites of asyncOpen() to use asyncOpen2() which then performs security checks within asyncOpen2 - but before I do have quite so many questions: @Jonas: Within dom/media/IdpSandbox.jsm we use systemPrincipal as the triggeringPrincipal even though we have a loadingPrincipal. That doesn't quite make sense to me. On the other hand I don't fully understand what that code is doing so I am also not sure if SEC_ALLOW_CROSS_ORIGIN_DATA_INHERITS is the right securityFlag, probably SEC_ALLOW_CROSS_ORIGIN_DATA_IS_NULL is more appropriate. @Dragana: Within dom/push/PushServiceHttp2.jsm, we use the channel as aContext as the second argument for asyncOpen(). Is there a better way to eliminate that second argument or should we just have some little helper 'mediator'-object that basically chains the listener and forwards the calls as we have done for other callsites? @Aus: Within dom/browser-element/BrowserElementParent.js we might end up with a 'null' loadingPrincipal which is not allowed when calling asyncOpen2(). What is that code doing exactly? We need to find a fallback principal. Once we know what the code is doing in particular we can find the right fallbackPrincipal as well as securityFlag. Thanks everyone for your input and help!
Flags: needinfo?(jonas)
Flags: needinfo?(dd.mozilla)
Flags: needinfo?(aus)
Sorry, I don't know what IdpSandbox.jsm does. Might be worth breaking this bug up into several bugs though... Generally speaking we should have one "problem" per bug.
Flags: needinfo?(jonas)
Comment 3•9 years ago
|
||
(In reply to Christoph Kerschbaumer [:ckerschb] from comment #1) > Created attachment 8698316 [details] [diff] [review] > bug_1232430_asyncopen2_dom.patch > > We are about to convert all callsites of asyncOpen() to use asyncOpen2() > which then performs security checks within asyncOpen2 - but before I do have > quite so many questions: > > @Dragana: Within dom/push/PushServiceHttp2.jsm, we use the channel as > aContext as the second argument for asyncOpen(). Is there a better way to > eliminate that second argument or should we just have some little helper > 'mediator'-object that basically chains the listener and forwards the calls > as we have done for other callsites? > It should be working if you set context to null. This has left from an old version, I just forgot to change it.
Flags: needinfo?(dd.mozilla)
Comment 4•9 years ago
|
||
(In reply to Christoph Kerschbaumer [:ckerschb] from comment #1) > Created attachment 8698316 [details] [diff] [review] > bug_1232430_asyncopen2_dom.patch > > @Aus: Within dom/browser-element/BrowserElementParent.js we might end up > with a 'null' loadingPrincipal which is not allowed when calling > asyncOpen2(). What is that code doing exactly? We need to find a fallback > principal. Once we know what the code is doing in particular we can find the > right fallbackPrincipal as well as securityFlag. > > Thanks everyone for your input and help! The goal of grabbing the loadingPrincipal is to have access to the correct cookie jar and other session related information so that you can download content properly because, often, sites require sign-in which is verified via session data. Hope that clarifies things. :)
Flags: needinfo?(aus)
Reporter | ||
Comment 5•9 years ago
|
||
Comment on attachment 8698316 [details] [diff] [review] bug_1232430_asyncopen2_dom.patch Splitting this bug up into individual sub-bugs. Keeping this bug around as a tracking bug though.
Attachment #8698316 -
Attachment is obsolete: true
Reporter | ||
Updated•8 years ago
|
Summary: Convert JS callsites to use asyncOpen2 within dom/ → [tracking bug] Convert JS callsites to use asyncOpen2 within dom/
Reporter | ||
Comment 6•8 years ago
|
||
By now we are almost done with converting those callsites - unassigning myself from the tracking bug.
Assignee: mozilla → nobody
Status: ASSIGNED → NEW
Reporter | ||
Comment 7•8 years ago
|
||
All of blocking bugs have been resolved - time to close this one - hurray!
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•