Test case to ensure data:stylesheet to be considered same origin

RESOLVED FIXED in Firefox 57

Status

()

Core
DOM: Security
RESOLVED FIXED
11 months ago
11 months ago

People

(Reporter: hchang, Assigned: hchang)

Tracking

(Blocks: 1 bug)

unspecified
mozilla57
Points:
---

Firefox Tracking Flags

(firefox57 fixed)

Details

MozReview Requests

()

Submitter Diff Changes Open Issues Last Updated
Loading...
Error loading review requests:

Attachments

(1 attachment)

(Assignee)

Description

11 months ago
The current test case to check if data:stylesheet is considered 
same origin [1] is wrong. CSS can be loaded from whatever domain.

One of the cases where css origin matters is accessing document.styleSheets[0].cssRules [2]. This bug is to correct the
existing test.


[1] http://searchfox.org/mozilla-central/rev/b52285fffc13f36eca6b47de735d4e4403b3859e/dom/base/test/test_data_uri.html#123
[2] http://searchfox.org/mozilla-central/rev/b52285fffc13f36eca6b47de735d4e4403b3859e/layout/style/StyleSheet.cpp#720
(Assignee)

Updated

11 months ago
Blocks: 1365145
Comment hidden (mozreview-request)
(Assignee)

Updated

11 months ago
Assignee: nobody → hchang
Status: NEW → ASSIGNED
Comment hidden (mozreview-request)
(Assignee)

Updated

11 months ago
Attachment #8894441 - Flags: review?(ckerschb)
Comment on attachment 8894441 [details]
Bug 1387983 - Fix test case for data:stylesheet same origin check.

That looks correct to me, but I am not a dom/ peer, hence I think it makes sense to have smaug sign off on it.
Attachment #8894441 - Flags: review?(ckerschb)
Attachment #8894441 - Flags: review?(bugs)
Attachment #8894441 - Flags: feedback+
(Assignee)

Comment 4

11 months ago
My test page:

https://elefant.github.io/data-uri/css.html

== What firefox would print ==

haha:data:text/css,.green-text{color:rgb(0,%20255,%200)};
haha:[object CSSRuleList]

haha:https://www.w3schools.com/Tags/styles.css
SecurityError: The operation is insecure.

haha:https://elefant.github.io/data-uri/styles.css
haha:[object CSSRuleList]

Chrome and Safari don't seem to throw exception but just return null.

p.s. Chrome and Safari will only load data:stylesheet in secure context.

Comment 5

11 months ago
mozreview-review
Comment on attachment 8894441 [details]
Bug 1387983 - Fix test case for data:stylesheet same origin check.

https://reviewboard.mozilla.org/r/165620/#review170790

This is less about DOM, but CSSOM. I think dbaron or someone should review.
Could you link to the relevant spec where this behavior is defined.
Attachment #8894441 - Flags: review?(bugs)
(Assignee)

Comment 6

11 months ago
IIRC Yoshi have pasted the spec regarding 'data:stylesheet' same origin property
somewhere (I am looking for it right now or Yoshi can point that out, too). 

As for the security check for 'document.styleSheets.cssRules':

Described in

https://www.w3.org/TR/2016/WD-cssom-1-20160317/#the-cssstylesheet-interface

"The ownerRule attribute must return the owner CSS rule. If a value other than null is ever returned, then that same value must always be returned on each get access.

The cssRules attribute must follow these steps:

If the origin-clean flag is unset, throw a SecurityError exception.
Return a read-only, live CSSRuleList object representing the CSS rules."


[1] http://searchfox.org/mozilla-central/rev/b52285fffc13f36eca6b47de735d4e4403b3859e/layout/style/StyleSheet.cpp#720
Flags: needinfo?(allstars.chh)
(Assignee)

Updated

11 months ago
Attachment #8894441 - Flags: review?(cam)
(Assignee)

Comment 7

11 months ago
Hi Cameron,

Could you help review the patch made for ensuring data:stylesheet has
the same origin as the owner document? You can refer to [1] to find the 
spec for the data:css same origin things.

As for the cssRules security check, you can find the spec in comment 6 or

https://www.w3.org/TR/2016/WD-cssom-1-20160317/#the-cssstylesheet-interface

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1373513#c13
Flags: needinfo?(allstars.chh)

Comment 8

11 months ago
mozreview-review
Comment on attachment 8894441 [details]
Bug 1387983 - Fix test case for data:stylesheet same origin check.

https://reviewboard.mozilla.org/r/165620/#review171042

Thanks, this change looks good to me.
Attachment #8894441 - Flags: review?(cam) → review+

Comment 9

11 months ago
Pushed by hchang@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/4923da1e6f62
Fix test case for data:stylesheet same origin check. r=heycam
(Assignee)

Comment 10

11 months ago
(In reply to Cameron McCormack (:heycam) from comment #8)
> Comment on attachment 8894441 [details]
> Bug 1387983 - Fix test case for data:stylesheet same origin check.
> 
> https://reviewboard.mozilla.org/r/165620/#review171042
> 
> Thanks, this change looks good to me.

Thanks Cameron! I'm so happy to get your first r+ :)

Comment 11

11 months ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/4923da1e6f62
Status: ASSIGNED → RESOLVED
Last Resolved: 11 months ago
status-firefox57: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla57

Comment 12

11 months ago
Henry, thank you for fixing this so quickly!
And thank you, Cameron, for the prompt review.  :)
(Assignee)

Updated

11 months ago
See Also: → bug 1381744
You need to log in before you can comment on or make changes to this bug.