Closed Bug 1683277 Opened 5 years ago Closed 4 years ago

[meta] Audit checks for cross-origin accessible properties

Categories

(Core :: DOM: Core & HTML, task, P3)

task

Tracking

()

RESOLVED FIXED
Fission Milestone M7

People

(Reporter: annevk, Assigned: edgar)

References

(Blocks 1 open bug)

Details

(Keywords: meta)

In bug 1659383 we noticed that focus() didn't have the correct checks when accessed remotely. We should double check that other cross-origin accessible properties do not have this problem.

Severity: -- → S3
Priority: -- → P3

Tracking for Fission M7 Beta milestone

Fission Milestone: --- → M7

Jens, can you please assign this to someone in the DOM Core team?

Flags: needinfo?(jstutte)

The relevant properties are listed in step 3 of https://html.spec.whatwg.org/#crossoriginproperties-(-o-). Whenever these are delegated from Window_Binding to BrowsingContext we need to ensure the same kind of checks happen in each implementation, as bug 1659383 fixed for focus.

Assignee: nobody → echen
Flags: needinfo?(jstutte)

I checked all CrossOriginReadable attributes, most of them redirect to call BrowsingContext API, except closed which maintain state separately in the outer window and the browsing context, but that should be fine, given that they are updated at the same time.

Keywords: meta
Summary: Audit checks for cross-origin accessible properties → [meta] Audit checks for cross-origin accessible properties

I checked window.close(), we do pass callerType over the IPC when it delegates to BrowsingContext::Close(), so https://searchfox.org/mozilla-central/rev/927e525f481a93a8f63d27a78ae6201e42b1b1fb/dom/base/nsGlobalWindowOuter.cpp#6148-6162 should work well.

I also checked the window.postMessage, it looks good, too.

All API has checked and Bug 1690747 has landed, we could close this bug.

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.