Closed Bug 1582911 Opened 5 years ago Closed 5 years ago

[LenientThis] behavior does not match spec and other browsers for security error cases

Categories

(Core :: DOM: Bindings (WebIDL), defect, P3)

Product:
Core
Component:
DOM: Bindings (WebIDL)
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla71
Tracking Flags:
Tracking Status
firefox-esr60 --- wontfix
firefox-esr68 --- wontfix
firefox69 --- wontfix
firefox70 --- wontfix
firefox71 --- verified
firefox108 --- verified

People

(Reporter: bzbarsky, Assigned: bzbarsky)

References

Details

(Keywords: sec-other, Whiteboard: [post-critsmash-triage][adv-main71-][adv-main108-])

Attachments

(2 files)

Bug 1582911 part 1. Fix the exception we throw when binding this-unwrapping fails security checks to match spec. r=peterv
47 bytes, text/x-phabricator-request
Details | Review
Bug 1582911 part 2. Fix LenientThis behavior to match spec when a security check fails. r=peterv
47 bytes, text/x-phabricator-request
Details | Review

Consider this testcase:

<iframe src="https://example.com"></iframe>
<hr>
<pre><script>
    onload = function() {
      var desc = Object.getOwnPropertyDescriptor(window, "onmouseenter");
      desc.get.call(frames[0]);
    }
</script>

Per spec, this should throw an exception, because in https://heycam.github.io/webidl/#dfn-attribute-getter step 1.1.2.2, which does the security check, comes before step 1.1.2.3, which does the checking for [LenientThis]. In our code the two steps are sort of combined.

Oh, and both Safari and Chrome do throw on that testcase.

Group: dom-core-security
Depends on: CVE-2019-11762

I closed this because I realized this testcase is too close to the one for bug 1582857. We will want to land that first, then this one...

Keywords: sec-other

Given that we already landed bug 1582857, landing this is not a problem.

Is this something we're going to want to uplift alongside bug 1582857 or can this ride Fx71 to release?

Flags: needinfo?(bzbarsky)

I think this can just ride the trains. It's a riskier change, too, since it changes what exceptions we throw in common cases not just the weird edge case bug 1582857 affects...

Flags: needinfo?(bzbarsky)
Flags: qe-verify+
Whiteboard: [post-critsmash-triage]
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main71-]

Hello Boris, Will I need a debug build in order to reproduce this issue ? After saving the Test case from the description as HTML and loading it in Firefox will I be able to see the exception in Browser Toolbox ? or Dev Tools Console ? or in CMD / Terminal ? What are the steps I can use to reproduce this issue in older builds ?

Flags: needinfo?(bzbarsky)

Steps to reproduce are to save the testcase as HTML, open the devtools console, and load the HTML. There should be an exception (and is one on current builds). Old builds will not have an exception.

Flags: needinfo?(bzbarsky)
Group: core-security-release

Verified as fixed in our latest builds, we are seeing the exception in devtools console.

Status: RESOLVED → VERIFIED
status-firefox108: --- → verified
status-firefox71: fixedverified
Whiteboard: [post-critsmash-triage][adv-main71-] → [post-critsmash-triage][adv-main71-][adv-main108-]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: