Closed Bug 1267509 Opened 8 years ago Closed 8 years ago

Make nsContentSecurityManager::IsURIPotentiallyTrustworthy act on an nsIPrincipal

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla49
Tracking Flags:
Tracking Status
firefox49 --- fixed

People

(Reporter: jwatt, Assigned: jwatt)

References

Details

(Whiteboard: [domsecurity-active])

Attachments

(1 file, 1 obsolete file)

patch
11.58 KB, patch
bzbarsky
: review+
Details | Diff | Splinter Review 
nsContentSecurityManager::IsURIPotentiallyTrustworthy is supposed to be implementing:

https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy

nsContentSecurityManager::IsURIPotentiallyTrustworthy operates on a URI though, whereas the spec algorithm works on an origin. Working on a URI means that IsURIPotentiallyTrustworthy does not handle blob: URIs correctly as defined here:

https://url.spec.whatwg.org/#concept-url-origin
> Working on a URI means that IsURIPotentiallyTrustworthy does not
> handle blob: URIs correctly

Or more correctly, the code that calls it typically is not.
Attached patch patch (obsolete) — Splinter Review 

        Attachment #8745316 -
        Flags: review?(bzbarsky)

    
    

    
  

      
      
      
      

        Attached patch
          
          
        patchSplinter Review
      

    


  

        Attachment #8745316 -
        Attachment is obsolete: true

        Attachment #8745316 -
        Flags: review?(bzbarsky)

        Attachment #8745329 -
        Flags: review?(bzbarsky)
Whiteboard: [domsecurity-active]

    
    

    
  
Comment on attachment 8745329 [details] [diff] [review]
patch

The IDL comments need to stop mentioning "URI", right?

I guess this works because getCodebasePrincipal will actually extract the principal inside the blob: URI... OK.  And I guess we can't add an assertion in nsContentSecurityManager::IsOriginPotentiallyTrustworthy that the scheme is never "blob" because someone could mess with a non-blob URI to give it that scheme.  :(

r=me

        Attachment #8745329 -
        Flags: review?(bzbarsky) → review+

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/915ddad13087
Status: NEW → RESOLVED
Closed: 8 years ago

          status-firefox49:
          --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
Target Milestone: mozilla48 → mozilla49
Depends on: 1269491

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: