[meta] Audit checks for cross-origin accessible properties
Categories
(Core :: DOM: Core & HTML, task, P3)
Tracking
()
Fission Milestone | M7 |
People
(Reporter: annevk, Assigned: edgar)
References
(Blocks 1 open bug)
Details
(Keywords: meta)
In bug 1659383 we noticed that focus()
didn't have the correct checks when accessed remotely. We should double check that other cross-origin accessible properties do not have this problem.
Updated•5 years ago
|
Comment 2•5 years ago
|
||
Jens, can you please assign this to someone in the DOM Core team?
Reporter | ||
Comment 3•5 years ago
|
||
The relevant properties are listed in step 3 of https://html.spec.whatwg.org/#crossoriginproperties-(-o-). Whenever these are delegated from Window_Binding
to BrowsingContext
we need to ensure the same kind of checks happen in each implementation, as bug 1659383 fixed for focus
.
Assignee | ||
Comment 4•5 years ago
•
|
||
For CrossOriginCallable, there are
window.close()window.focus())(covered by bug 1659383)window.blur()(covered by bug 1690747)window.postMessage()
And for CrossOriginReadable, there are
Assignee | ||
Comment 5•5 years ago
|
||
I checked all CrossOriginReadable attributes, most of them redirect to call BrowsingContext API, except closed
which maintain state separately in the outer window and the browsing context, but that should be fine, given that they are updated at the same time.
Assignee | ||
Updated•5 years ago
|
Assignee | ||
Comment 6•5 years ago
•
|
||
I checked window.close(), we do pass callerType over the IPC when it delegates to BrowsingContext::Close(), so https://searchfox.org/mozilla-central/rev/927e525f481a93a8f63d27a78ae6201e42b1b1fb/dom/base/nsGlobalWindowOuter.cpp#6148-6162 should work well.
Assignee | ||
Comment 7•5 years ago
|
||
I also checked the window.postMessage, it looks good, too.
Assignee | ||
Comment 8•4 years ago
|
||
All API has checked and Bug 1690747 has landed, we could close this bug.
Description
•