Closed
Bug 1431539
Opened 6 years ago
Closed 6 years ago
:-moz-any breaks the :visited invariants.
Categories
(Core :: CSS Parsing and Computation, enhancement)
Core
CSS Parsing and Computation
Tracking
()
RESOLVED
FIXED
mozilla60
Tracking | Status | |
---|---|---|
firefox60 | --- | fixed |
People
(Reporter: emilio, Assigned: emilio)
Details
Attachments
(2 files, 1 obsolete file)
347 bytes,
text/html
|
Details | |
3.53 KB,
patch
|
dholbert
:
review+
|
Details | Diff | Splinter Review |
The way it's implemented in stylo allows for :-moz-any selectors to the left of a non-link element to affect its style. Filing as sec-sensitive just in case, though I think it isn't a security issue.
Assignee | ||
Updated•6 years ago
|
Assignee: nobody → emilio
Assignee | ||
Comment 1•6 years ago
|
||
Assignee | ||
Comment 2•6 years ago
|
||
(The element should be green, it's red on stylo)
Attachment #8943777 -
Attachment is obsolete: true
Assignee | ||
Comment 3•6 years ago
|
||
Fix @ https://github.com/servo/servo/pull/19817
Updated•6 years ago
|
Attachment #8943779 -
Attachment mime type: text/plain → text/html
Comment 4•6 years ago
|
||
Looks like it isn't leaking the computed value to content script, so it's probably not a security issue. If it does leak that, it may be a sec-moderate bug, though.
Assignee | ||
Comment 5•6 years ago
|
||
(In reply to Xidorn Quan [:xidorn] UTC+10 (PTO Jan 19 ~ 29) from comment #4) > Looks like it isn't leaking the computed value to content script, so it's > probably not a security issue. > > If it does leak that, it may be a sec-moderate bug, though. Yeah it does not. Indeed the only way to cause this failure is with nested links, which triggers effectively the construction of a visited and unvisited style down the tree. This is only the :visited style of an element getting affected by a + combinator, which breaks the model of the "closest relevant link", but I don't think it has any kind of implication, you still match both as visited and unvisited on both so you wouldn't be able to construct a timing attack either.
Assignee | ||
Comment 6•6 years ago
|
||
Attachment #8944362 -
Flags: review?(dholbert)
Comment 7•6 years ago
|
||
Comment on attachment 8944362 [details] [diff] [review] Tests Review of attachment 8944362 [details] [diff] [review]: ----------------------------------------------------------------- LGTM!
Attachment #8944362 -
Flags: review?(dholbert) → review+
Assignee | ||
Comment 8•6 years ago
|
||
I'm pretty sure this is not a security issue at this point, but I can't remove the flag :)
Updated•6 years ago
|
Group: core-security
Comment 9•6 years ago
|
||
Backed out changeset de52bf2201a6 (bug 1431539) for mochitest failures on layout/style/test/test_visited_reftests.html on a CLOSED TREE Backout link: https://hg.mozilla.org/integration/autoland/rev/7d6828a38971e2c0925ce89e5f906a47db06bb2b Push with failures: https://treeherder.mozilla.org/#/jobs?repo=autoland&revision=de52bf2201a6992df26d0e7c7c1223266bcda4f9 Log link: https://treeherder.mozilla.org/logviewer.html#?job_id=157777143&repo=autoland&lineNumber=16747
Flags: needinfo?(emilio)
Assignee | ||
Comment 10•6 years ago
|
||
Well, I tested the test failed without the patch, but not that it passed with it, whoops. Apparently visited-page.html isn't visited on the references, I'll just adapt the test-case a bit.
Comment 11•6 years ago
|
||
Pushed by ecoal95@gmail.com: https://hg.mozilla.org/integration/autoland/rev/2bd97ba1cb81 Tests. r=dholbert
Assignee | ||
Updated•6 years ago
|
Flags: needinfo?(emilio)
Comment 12•6 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/2bd97ba1cb81
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox60:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla60
You need to log in
before you can comment on or make changes to this bug.
Description
•