Review GetGlobalObject calls

VERIFIED FIXED in Future

Status

()

Core
Security
P3
normal
VERIFIED FIXED
19 years ago
17 years ago

People

(Reporter: joro, Assigned: Mitchell Stoltz (not reading bugmail))

Tracking

Trunk
Future
x86
Windows 95
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

19 years ago
There is a "feature" in Mozilla 5.0 build 1999090408 (and earlier builds) which
does not allow access from scripts to documents in the SAME domain (and
directory).
I think that this is "oversecured" and is a bug.

The code is: (in the domain www.nat.bg)

a=window.open("http://www.nat.bg/~joro/mozilla/links.html");
setTimeout("alert(a.document.links[0]);",4000);


The script gives the error:

JavaScript error: access disallowed from scripts at .... to documents at another
domain

Demonstration is available at:
http://www.nat.bg/~joro/mozilla/oversec.html

Updated

19 years ago
Status: NEW → ASSIGNED

Comment 1

19 years ago
This isn't occurring for me with a build I built this morning. Could you retry
the next time you get a build?

Updated

19 years ago
Target Milestone: M11

Updated

19 years ago
Blocks: 12633
(Reporter)

Comment 2

19 years ago
Unfortunately I could not verify this with the build from 7 September - it
crashes at starting.
Shall try with a newer build.
(Reporter)

Comment 3

19 years ago
Checked with build 1999090808.
The problem persists and gives the same JavaScript error.

Comment 4

19 years ago
It fails for me now. Thanks for retrying.

Updated

19 years ago
Whiteboard: help wanted: joki or vidur

Updated

19 years ago
Assignee: norris → vidur
Status: ASSIGNED → NEW
Whiteboard: help wanted: joki or vidur

Comment 5

19 years ago
I'll reassign this to you while you work on the document part of the fix.

Updated

19 years ago
Assignee: vidur → norris

Comment 6

19 years ago
Checked in the document fix (document was incorrectly being parented by the
global object of the calling context, not the containing context). The other
places that need to be similarly fixed are included in
the list generated by http://lxr.mozilla.org/seamonkey/ident?i=GetGlobalObject.

Updated

19 years ago
Status: NEW → ASSIGNED
Target Milestone: M11 → M14

Updated

19 years ago
No longer blocks: 12633

Comment 7

19 years ago
We can fix the other places after beta.

Comment 8

19 years ago
Vidur fixed nsHTMLDocument::GetScriptObject

Comment 9

19 years ago
Fixed the use of GetGlobalObjet for the location obejct.

Comment 10

18 years ago
<!--/*
Simple script to reproduce in 1999121712:
*/-->
<HTML>
<HEAD>
<TITLE>Security Test</TITLE>
<SCRIPT>
function newWin(){
    var kWn=open("blank.htm","winName","width=*,height=*");
    //Follwing statement does not execute:
    alert("kWn.document.URL="+kWn.document.URL);
}//End newWin(..)
</SCRIPT>
</HEAD>
<BODY>
<FORM>
<INPUT type="button" value="Test Security" onClick="newWin()">
</FORM>
</BODY>
</HTML>
<!--/*
browser.startup.page = 1
startpage = http://127.0.0.1/newWindow/index.htm
failed to set the page title.
Document http://127.0.0.1/newWindow/index.htm loaded successfully
Document: Done (0.66 secs)
WEBSHELL+ = 4
JavaScript Error: ReferenceError: Shutdown is not defined

nsXULKeyListenerImpl::Init()
WEBSHELL+ = 5
Setting content window
browser.startup.page = 1
startpage = http://127.0.0.1/newWindow/index.htm
JavaScript Error: access disallowed from scripts at [Codebase http://127.0.0.1/n
ewWindow/index.htm] to documents at another domain
URL: http://127.0.0.1/newWindow/index.htm
LineNo: 8

JavaScript Error: uncaught exception: [Exception... "Security error"  code: "100
0" nsresult: "0x805303e8 (NS_ERROR_DOM_SECURITY_ERR)"  location: "http://127.0.0
.1/newWindow/index.htm Line: 8"]

Document http://127.0.0.1/newWindow/blank.htm loaded successfully
Document: Done (0.44 secs)
*/-->

Comment 11

18 years ago
See comments on bug 14916, looks like this bug may be fixed?

Updated

18 years ago
Summary: Mozilla is "oversecured" and does not allow access to documents in the same domain → Review GetGlobalObject calls

Comment 12

18 years ago
The test case from bht@actrix.gen.nz no longer fails.

The bug is still open pending the review of GetGlobalObject calls. I'm changing
the title to reflect that.

Updated

18 years ago
Target Milestone: M14 → M15

Comment 13

18 years ago
Push security review tasks off until M16.
Target Milestone: M15 → M16

Comment 14

18 years ago
Bulk moving all Browser Security bugs to new Security: General component.  The 
previous Security component for Browser will be deleted.
Component: Security → Security: General

Updated

18 years ago
Target Milestone: M16 → M18

Comment 15

18 years ago
Changing Qa contact to myself.
QA Contact: dshea → junruh
(Assignee)

Comment 16

18 years ago
Bulk reassigning most of norris's bugs to mstoltz.
Assignee: norris → mstoltz
Status: ASSIGNED → NEW
(Assignee)

Comment 17

18 years ago
Security reviews and denial-of-service attacks. These will be addressed in the 
post-beta2 timeframe (unless someone's interested in tackling them earlier?)
Status: NEW → ASSIGNED

Comment 18

18 years ago
Assigning QA to czhang
QA Contact: junruh → czhang
(Assignee)

Comment 19

18 years ago
Future.
Target Milestone: M18 → Future

Updated

17 years ago
QA Contact: czhang → junruh

Comment 20

17 years ago
Mass changing QA to ckritzer.
QA Contact: junruh → ckritzer
(Assignee)

Comment 21

17 years ago
> Checked in the document fix (document was incorrectly being parented by the
> global object of the calling context, not the containing context). The other
> places that need to be similarly fixed are included in
> the list generated by http://lxr.mozilla.org/seamonkey/ident?i=GetGlobalObject.

Old bug. My guess is that this is no longer a problem, but I wanted to run it by
you guys. cc'ing vidur and jst. Are we still using the wrong parent object anywhere?
I didn't look through all the callers of GetGlobalObject, but if there's a
problem somewhere I would think that people would be complaining, and I don't
see people complaining so I say close this one, unless someone is interested in
reviwing all the callers...
(Assignee)

Comment 23

17 years ago
I think we're probably OK. 
Status: ASSIGNED → RESOLVED
Last Resolved: 17 years ago
Resolution: --- → FIXED

Comment 24

17 years ago
Verified on
build: 2001-09-13-0.9.4
platform: Win NT

Following tests passed:
1. http://www.nat.bg/~joro/mozilla/oversec.html
For above link, 2 link buttons appears. Link1 opens the about:blank window. This
is the correct behavior. Link2 is for opening the about:cache window, which
should not be allowed. And the window is not opened as expected. Also, an error
is written in the JS console: "The link to about:cache was blocked by the
security manager.
Remote content may not link to local content."
2. The test script attached also works as expected. An alert dialog is opened as
expected.
Status: RESOLVED → VERIFIED
Depends on: 137199
You need to log in before you can comment on or make changes to this bug.