Some of our inputs use anonymous content, particularly input type=text input type=file. It is a Bad Thing when users access this stuff. We should put a check in the JS wrapper / classinfo code that prevents creation of a wrapper if: (1) the content is anonymous (this could be a bit in mFlags for efficient checking) (2) the content is non-XBL (we think bindingParent will tell us this--need to ensure that bindingParent is null in the case of anonymous children of an input type=file that is itself an anonymous child of XBL) (3) web content is accessing it This preemptively strikes a whole class of input type=file exploits and prevents users from meddling where they aren't wanted. Chrome could create a JS wrapper and hand it to web content, but that is a less likely situation (at least in the current world).
Also, when this gets fixed we should get rid of the fix for bug 163598 since it will be redundant.
Status: NEW → ASSIGNED
Depends on: 163598
Since this alludes to what the fix is for 163598 (and thus making guessing the security bug easier), marking this security sensitive to be on the safe side.
We went with this solution for bug 164086. *** This bug has been marked as a duplicate of 164086 ***
Status: ASSIGNED → RESOLVED
Last Resolved: 16 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.