Closed Bug 1388606 Opened 7 years ago Closed 7 years ago

data:font same-origin-check test case is not written correctly

Tracking

()

Status:

RESOLVED FIXED

Milestone:

mozilla57

Tracking Flags:

Tracking

Status

firefox57

---

fixed

People

(Reporter: hchang, Assigned: hchang)

References

Details

(Whiteboard: [domsecurity-active])

Attachments

(1 file)

Bug 1388606 - Test case for ensuring data:font is treated same-origin. 7 years ago Henry Chang [:hchang] 59 bytes, text/x-review-board-request	ckerschb : review+	Details

Henry Chang [:hchang]

Assignee

Description

•

7 years ago

Current data:font same-origin check relies on accessing document.fonts.size [1] but I don't see any restriction on that. See my test page below:

http://elefant.github.io/data-uri/font.html

The correct way to test it should be something like cross-domain @font-face in css.

[1] http://searchfox.org/mozilla-central/rev/0f16d437cce97733c6678d29982a6bcad49f817b/dom/base/test/test_data_uri.html#88

Henry Chang [:hchang]

Assignee

Updated

•

7 years ago

Assignee: nobody → hchang

Henry Chang [:hchang]

Assignee

Updated

•

7 years ago

Blocks: 1365145

Henry Chang [:hchang]

Assignee

Comment 1

•

7 years ago

http://searchfox.org/mozilla-central/rev/0f16d437cce97733c6678d29982a6bcad49f817b/dom/base/nsDocument.cpp#13187
http://searchfox.org/mozilla-central/source/layout/style/FontFaceSet.cpp#575

Our implementation also doesn't seem to enforce principal restriction on that.

Henry Chang [:hchang]

Assignee

Updated

•

7 years ago

Status: NEW → ASSIGNED

Henry Chang [:hchang]

Assignee

Updated

•

7 years ago

Summary: data:font same origin check is not done correctly → data:font same-origin-check test case is not written correctly

Ethan Tseng [:ethan]

Updated

•

7 years ago

Priority: -- → P2

Whiteboard: [domsecurity-active]

Comment hidden (mozreview-request)

We try to load a data:font and apply to some text in the test case. In case
data:font is treated different origin, the font will not load and the
test would fail.

Review commit: https://reviewboard.mozilla.org/r/166466/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/166466/

Comment hidden (mozreview-request)

Comment on attachment 8895279 [details]
Bug 1388606 - Test case for ensuring data:font is treated same-origin.

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/166466/diff/1-2/

Henry Chang [:hchang]

Assignee

Updated

•

7 years ago

Attachment #8895279 - Flags: review?(ckerschb)

Christoph Kerschbaumer [:ckerschb]

Comment 4

•

7 years ago

mozreview-review

Comment on attachment 8895279 [details]
Bug 1388606 - Test case for ensuring data:font is treated same-origin.

https://reviewboard.mozilla.org/r/166466/#review171618

looks good to me, thanks. r=ckerschb

Attachment #8895279 - Flags: review?(ckerschb) → review+

Pulsebot

Comment 5

•

7 years ago

Pushed by hchang@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/5bf5f9a8b4a7
Test case for ensuring data:font is treated same-origin. r=ckerschb

Ryan VanderMeulen [:RyanVM]

Comment 6

•

7 years ago

bugherder

https://hg.mozilla.org/mozilla-central/rev/5bf5f9a8b4a7

Status: ASSIGNED → RESOLVED

Closed: 7 years ago

status-firefox57: --- → fixed

Flags: in-testsuite+

Resolution: --- → FIXED

Target Milestone: --- → mozilla57

Henry Chang [:hchang]

Assignee

Updated

•

7 years ago

Bugzilla

Quick Search

data:font same-origin-check test case is not written correctly

Categories

(Core :: DOM: Security, defect, P2)

Tracking

()

People

(Reporter: hchang, Assigned: hchang)

References

Details

(Whiteboard: [domsecurity-active])

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Updated

Updated

Comment 1

Updated

Updated

Updated

Comment 2

Comment 3

Updated

Comment 4

Comment 5

Comment 6

Updated

Attachment

General

Description

File Name

Content Type