Closed
Bug 163950
Opened 22 years ago
Closed 21 years ago
XMLHttpRequest.open gives access denied when document.domain is explicitly set in the calling page.
Categories
(Core :: XML, defect, P2)
Tracking
()
RESOLVED
FIXED
mozilla1.4final
People
(Reporter: emartind2, Assigned: security-bugs)
References
()
Details
(Keywords: fixed1.4, Whiteboard: [DIGBug][fixed-trunk])
Attachments
(2 files)
4.02 KB,
patch
|
security-bugs
:
review+
|
Details | Diff | Splinter Review |
3.03 KB,
patch
|
jst
:
review+
hjtoi-bugzilla
:
superreview+
jesup
:
approval1.4+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0) Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.1) Gecko/20020724 Netscape/7.0 If I'm hitting a webserver at http://a.foo.bar.com and I set document.domain = 'foo.bar.com' within my page, I then cannot call XMLHttpRequest.open ('POST','/dummy.html',true). I get an access denied error. Given that the url I am trying to request is a relative url, this seems like the browser should know that I'm not going to some other domain. It works fine with IE, as well as with Netscape 6.2. Reproducible: Always Steps to Reproduce: 1. See the bug details. 2. 3. Dig Bug.
Reporter | ||
Comment 1•22 years ago
|
||
I was wrong when I said this worked with Netscape 6.2 I was mislead because it doesn't actually throw an exception, but the request does not go to the server. I'm using a relative url, so it seems, after playing around with it, that the browser is using the domain as the server name, so in effect resolving the server location incorrectly.
Updated•22 years ago
|
Whiteboard: DIGBug
Updated•22 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: nsbeta1+
Priority: -- → P2
Target Milestone: --- → mozilla1.2alpha
Updated•22 years ago
|
Target Milestone: mozilla1.2alpha → mozilla1.2beta
Testcase in URL sets the document.domain to a shorter format, but then XMLHttpRequest.open() fails because of security error. This is in nsScriptSecurityManager::CheckSameOriginDOMProp() where the code notes that subject has changed domain but object has not. This seems weird to me in this case since we haven't yet even loaded the object, so there is no way it could have set the domain . With XMLHttpRequest and document.load() it should not check this, I think. Mitch, can you help me out here?
I will need some help from Mitch to fix the CAPS side of things, but I also realized I need to change the way XMLHttpRequest gets the base URL for the connection. Currently it gets this from the principal of the page, but that is affected by document.domain (so currently even if document.domain didn't fail because of security any relative URLs would probably fail to load). I think XMLHttpRequest should get the base URL of the document instead.
Updated•22 years ago
|
Target Milestone: mozilla1.2beta → mozilla1.3alpha
Updated•22 years ago
|
QA Contact: petersen → rakeshmishra
Updated•22 years ago
|
Target Milestone: mozilla1.3alpha → mozilla1.3beta
Assignee | ||
Comment 6•22 years ago
|
||
Comment on attachment 102085 [details] [diff] [review] (Part of?) xmlextras side of fix r=mstoltz on this patch. It solves part of the problem, but not all.
Attachment #102085 -
Flags: review+
Assignee | ||
Comment 8•21 years ago
|
||
The obvious way to fix this is to remove the requirement that both source and target set document.domain, at least for this case. However, that will reopen the DNS spoofing bug that was the reason we added that restriction. I don't see any alternate solution for this bug, so we may have to think of alternate solutions for the DNS problem.
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla1.4final
Assignee | ||
Comment 9•21 years ago
|
||
This patch causes the security manager to ignore the requirement that both source and target documents have set document.domain. It only applies to XMLHTTPRequest.open, SOAP, and XMLDocument.load, the 3 places that call CheckConnect. This patch will allow, for example, a script on a page at a.b.com that has set document.domain to b.com to open an XMLRequest to http://b.com/file.xml. It will *not* allow the same page to open a request to http://a.b.com/file.xml. Is this sufficient?
I think it's ok for now. If more is needed later, we can open new bugs.
Assignee | ||
Comment 11•21 years ago
|
||
Comment on attachment 124004 [details] [diff] [review] Patch OK then, requesting reviews.
Attachment #124004 -
Flags: superreview?(heikki)
Attachment #124004 -
Flags: review?(jst)
Updated•21 years ago
|
Attachment #124004 -
Flags: superreview?(heikki) → superreview+
Comment 12•21 years ago
|
||
Comment on attachment 124004 [details] [diff] [review] Patch r/sr=jst
Attachment #124004 -
Flags: review?(jst) → review+
Assignee | ||
Comment 13•21 years ago
|
||
Comment on attachment 124004 [details] [diff] [review] Patch Seeking drivers approval for 1.4. This patch slightly relaxes the security policy for XMLHTTPRequest to fix a regression in some Web apps. The risk is low.
Attachment #124004 -
Flags: approval1.4?
Assignee | ||
Comment 14•21 years ago
|
||
Checked in on trunk, will keep the bug open until we get it into 1.4
Comment 15•21 years ago
|
||
Comment on attachment 124004 [details] [diff] [review] Patch >@@ -724,7 +725,8 @@ > NS_ERROR("CheckPropertyAccessImpl called without a target object or URL"); > return NS_ERROR_FAILURE; > } >- rv = CheckSameOriginDOMProp(subjectPrincipal, objectPrincipal, aAction); >+ rv = CheckSameOriginDOMProp(subjectPrincipal, objectPrincipal, >+ aAction, (PRBool)aTargetURI); > break; > } > default: Isn't aTargetURI a pointer? You can't just cast to (PRBool) (which is to say, to (int)), and get a valid boolean. Best to use aTargetURI != nsnull here. >@@ -849,7 +851,8 @@ > nsresult > nsScriptSecurityManager::CheckSameOriginDOMProp(nsIPrincipal* aSubject, > nsIPrincipal* aObject, >- PRUint32 aAction) >+ PRUint32 aAction, >+ PRBool aIsCheckConnect) > { > nsresult rv; > /* >@@ -867,6 +870,14 @@ > // explicitly setting document.domain then the other must also have > // done so in order to be considered the same origin. This prevents > // DNS spoofing based on document.domain (154930) >+ >+ // But this restriction does not apply to CheckConnect calls, since >+ // that's called for data-only load checks like XMLHTTPRequest, where >+ // the target document has not yet loaded and can't have set its domain >+ // (bug 163950) >+ if (aIsCheckConnect) >+ return NS_OK; Are we overloading a security manager interface inappropriately, to need this flag? /be
Assignee | ||
Comment 16•21 years ago
|
||
Brendan, On your first point, will do. On your second point, I don't believe so. CheckSameOriginDOMProp is an internal function, not part of the interface.
Comment 17•21 years ago
|
||
If I understand comment #9 correctly this does not fix the original complaint that we don't handle relative URLs the way IE does. (It's not clear, though, whether the IE tested was the latest version with the same document.domain spoofing fix we applied.) Or does Mitch's patch get combined with Heikki's in order to get the proper relative document base for relative URLs? I'd hate to partially reopen the document.domain spoof and not actually solve the relative URL bug that's breaking things.
The XMLExtras part was checked in long time ago as part of another bug. However, the testcase in the URL still does not seem to work after Mitch's patch. I thought it would...
Assignee | ||
Comment 19•21 years ago
|
||
My testcase works: http://warp.mcom.com/u/mstoltz/bugs/163950.html, which uses a relative URL. I'm not sure what's wrong with your testcase, but I think it's some other problem since I don't see a security error.
Assignee | ||
Comment 20•21 years ago
|
||
Correction: the testcase I mentioned is the same one. For some reason it works from warp but not from green.
Updated•21 years ago
|
Whiteboard: DIGBug → [DIGBug][fixed-trunk]
Comment 21•21 years ago
|
||
Comment on attachment 124004 [details] [diff] [review] Patch Please add fixed1.4 after this is checked into the 1.4 branch
Attachment #124004 -
Flags: approval1.4? → approval1.4+
Comment 22•21 years ago
|
||
a=adt to land on the 1.4 branch.
Assignee | ||
Comment 23•21 years ago
|
||
Fixed on the branch.
Comment 24•21 years ago
|
||
This patch was checked in without addressing the first part of comment 15. This causes building 64-bit Mozilla to fail (Bug 228095).
You need to log in
before you can comment on or make changes to this bug.
Description
•