167714 - Javascript from a secure site (https) should be considered signed.

Status: RESOLVED DUPLICATE of bug 91067

(Core :: Security, defect)

Description

[Jesse Houwing]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.1b) Gecko/20020829
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.1b) Gecko/20020829

Judging from the documentation found at:
http://developer.netscape.com/docs/manuals/communicator/jsguide4/sec.htm

scripts coming from a secure website should be considered signed by the
certificate of the website. This was the case in NS4, but is no longer the case
in Mozilla.

Reproducible: Always

Steps to Reproduce:
1.
2.
3.
vcb
Actual Results:  
fdg

Expected Results:  
fdg

dfgfdg

Comment 1

[Jesse Houwing]

sorry for the garble, bugzilla doesn't show a "finalize" form anymore... :(

Comment 2

[Jesse Houwing]

This prevents me from using:

netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead");

from an unsigned script.

Comment 3

[Phil Schwartau]

Browser, not engine ---> Security:General

Comment 4

[Mitchell Stoltz (not reading bugmail)]

That feature was removed as of version 6.0. I have proposed bringing it back,
but the crypto engineers think it isn't safe. I'm not convinced of that,
although to do this would be to use SSL (https) in a way it was not designed to
be used. There's still a possibility of doing this at some point, but it won't
be soon. For now, scripts must be signed (or run from the local drive) in order
to enable privileges.

Comment 5

[Jesse Houwing]

What makes it different from signed javascript? It shows a certificate in both
cases, and in both cases the user will have to approve the request. Where is the
catch I'm missing :)

Comment 6

[Bradley Baetz (:bbaetz)]

Dupe of bug 91067

*** This bug has been marked as a duplicate of 91067 ***