Closed Bug 163950 Opened 22 years ago Closed 21 years ago

XMLHttpRequest.open gives access denied when document.domain is explicitly set in the calling page.

Categories

(Core :: XML, defect, P2)

Product:
Core
Component:
XML
Platform:
x86
Windows 2000
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.4final

People

(Reporter: emartind2, Assigned: security-bugs)

References

(
URL
)

Details

(Keywords: fixed1.4, Whiteboard: [DIGBug][fixed-trunk])

Attachments

(2 files)

(Part of?) xmlextras side of fix
4.02 KB, patch
security-bugs
: review+
Details | Diff | Splinter Review
Patch
3.03 KB, patch
jst
: review+
hjtoi-bugzilla
: superreview+
jesup
: approval1.4+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.1) Gecko/20020724 Netscape/7.0

If I'm hitting a webserver at http://a.foo.bar.com and I set document.domain 
= 'foo.bar.com' within my page, I then cannot call XMLHttpRequest.open
('POST','/dummy.html',true). I get an access denied error.

Given that the url I am trying to request is a relative url, this seems like 
the browser should know that I'm not going to some other domain. It works fine 
with IE, as well as with Netscape 6.2.

Reproducible: Always

Steps to Reproduce:
1. See the bug details.
2.
3.




Dig Bug.
I was wrong when I said this worked with Netscape 6.2 I was mislead because it 
doesn't actually throw an exception, but the request does not go to the server. 
I'm using a relative url, so it seems, after playing around with it, that the 
browser is using the domain as the server name, so in effect resolving the 
server location incorrectly.
Whiteboard: DIGBug
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: nsbeta1+
Priority: -- → P2
Target Milestone: --- → mozilla1.2alpha
Target Milestone: mozilla1.2alpha → mozilla1.2beta
Testcase in URL sets the document.domain to a shorter format, but then
XMLHttpRequest.open() fails because of security error. This is in
nsScriptSecurityManager::CheckSameOriginDOMProp() where the code notes that
subject has changed domain but object has not. This seems weird to me in this
case since we haven't yet even loaded the object, so there is no way it could
have set the domain . With XMLHttpRequest and document.load() it should not
check this, I think. Mitch, can you help me out here?
URL: http://green.nscp.aoltw.net/heikki/16...
I will need some help from Mitch to fix the CAPS side of things, but I also
realized I need to change the way XMLHttpRequest gets the base URL for the
connection. Currently it gets this from the principal of the page, but that is
affected by document.domain (so currently even if document.domain didn't fail
because of security any relative URLs would probably fail to load). I think
XMLHttpRequest should get the base URL of the document instead.
Target Milestone: mozilla1.2beta → mozilla1.3alpha
QA Contact: petersen → rakeshmishra
Target Milestone: mozilla1.3alpha → mozilla1.3beta
->mstoltz
Assignee: heikki → mstoltz
Comment on attachment 102085 [details] [diff] [review]
(Part of?) xmlextras side of fix

r=mstoltz on this patch. It solves part of the problem, but not all.
Attachment #102085 - Flags: review+
Clearing milestone for now.
Target Milestone: mozilla1.3beta → ---
The obvious way to fix this is to remove the requirement that both source and
target set document.domain, at least for this case. However, that will reopen
the DNS spoofing bug that was the reason we added that restriction. I don't see
any alternate solution for this bug, so we may have to think of alternate
solutions for the DNS problem.
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla1.4final
Attached patch PatchSplinter Review 
This patch causes the security manager to ignore the requirement that both
source and target documents have set document.domain. It only applies to
XMLHTTPRequest.open, SOAP, and XMLDocument.load, the 3 places that call
CheckConnect. This patch will allow, for example, a script on a page at a.b.com
that has set document.domain to b.com to open an XMLRequest to
http://b.com/file.xml. It will *not* allow the same page to open a request to
http://a.b.com/file.xml. Is this sufficient?
I think it's ok for now. If more is needed later, we can open new bugs.
Comment on attachment 124004 [details] [diff] [review]
Patch

OK then, requesting reviews.
Attachment #124004 - Flags: superreview?(heikki)
Attachment #124004 - Flags: review?(jst)
Attachment #124004 - Flags: superreview?(heikki) → superreview+
Comment on attachment 124004 [details] [diff] [review]
Patch

r/sr=jst
Attachment #124004 - Flags: review?(jst) → review+
Comment on attachment 124004 [details] [diff] [review]
Patch

Seeking drivers approval for 1.4. This patch slightly relaxes the security
policy for XMLHTTPRequest to fix a regression in some Web apps. The risk is
low.
Attachment #124004 - Flags: approval1.4?
Checked in on trunk, will keep the bug open until we get it into 1.4
Comment on attachment 124004 [details] [diff] [review]
Patch

>@@ -724,7 +725,8 @@
>                     NS_ERROR("CheckPropertyAccessImpl called without a target object or URL");
>                     return NS_ERROR_FAILURE;
>                 }
>-                rv = CheckSameOriginDOMProp(subjectPrincipal, objectPrincipal, aAction);
>+                rv = CheckSameOriginDOMProp(subjectPrincipal, objectPrincipal,
>+                                            aAction, (PRBool)aTargetURI);
>                 break;
>             }
>         default:

Isn't aTargetURI a pointer?  You can't just cast to (PRBool) (which is to say,
to (int)), and get a valid boolean.  Best to use aTargetURI != nsnull here.

>@@ -849,7 +851,8 @@
> nsresult
> nsScriptSecurityManager::CheckSameOriginDOMProp(nsIPrincipal* aSubject,
>                                                 nsIPrincipal* aObject,
>-                                                PRUint32 aAction)
>+                                                PRUint32 aAction,
>+                                                PRBool aIsCheckConnect)
> {
>     nsresult rv;
>     /*
>@@ -867,6 +870,14 @@
>         // explicitly setting document.domain then the other must also have
>         // done so in order to be considered the same origin. This prevents
>         // DNS spoofing based on document.domain (154930)
>+
>+        // But this restriction does not apply to CheckConnect calls, since
>+        // that's called for data-only load checks like XMLHTTPRequest, where
>+        // the target document has not yet loaded and can't have set its domain
>+        // (bug 163950)
>+        if (aIsCheckConnect)
>+            return NS_OK;

Are we overloading a security manager interface inappropriately, to need this
flag?

/be
Brendan,
   On your first point, will do. On your second point, I don't believe so.
CheckSameOriginDOMProp is an internal function, not part of the interface.
If I understand comment #9 correctly this does not fix the original complaint
that we don't handle relative URLs the way IE does. (It's not clear, though,
whether the IE tested was the latest version with the same document.domain
spoofing fix we applied.)

Or does Mitch's patch get combined with Heikki's in order to get the proper
relative document base for relative URLs? I'd hate to partially reopen the
document.domain spoof and not actually solve the relative URL bug that's
breaking things.
The XMLExtras part was checked in long time ago as part of another bug.

However, the testcase in the URL still does not seem to work after Mitch's
patch. I thought it would...
My testcase works: http://warp.mcom.com/u/mstoltz/bugs/163950.html, which uses a
relative URL. I'm not sure what's wrong with your testcase, but I think it's
some other problem since I don't see a security error.

Correction: the testcase I mentioned is the same one. For some reason it works
from warp but not from green.
Whiteboard: DIGBug → [DIGBug][fixed-trunk]
Comment on attachment 124004 [details] [diff] [review]
Patch

Please add fixed1.4 after this is checked into the 1.4 branch
Attachment #124004 - Flags: approval1.4? → approval1.4+
a=adt to land on the 1.4 branch.
Fixed on the branch.
Status: ASSIGNED → RESOLVED
Closed: 21 years ago
Keywords: fixed1.4
Resolution: --- → FIXED
This patch was checked in without addressing the first part of comment 15. This
causes building 64-bit Mozilla to fail (Bug 228095).
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: