Closed Bug 177639 Opened 22 years ago Closed 22 years ago

The XBL binding should not get the same privileges as the content to which it is attached to.

Categories

(Core :: XBL, defect)

Product:
Core
Component:
XBL
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: bsharma, Assigned: jag+mozilla)

Details

This issue was reported after the Security review of XBL, jag asked me to make a
bug out of the issue.
*** Bug 177660 has been marked as a duplicate of this bug. ***
Something here is wrong. As far as I can tell this bug is the exact opposite of
bug 172673. So which is it? Is XBL executed in the security context of itself or
of the document to which it is bound?

See also bug 59701.
Isn't this what we want? Untrusted contexts cannot get special privilege through
XBL, so why is this security sensitive?

Are you worried that trusted code (chrome) might use untrusted XBL and elevate
it's priviledge? Yeah, that'd be a problem, but it would be a bug in the trusted
code that did such a thing.
I agree with Dan, although I'd like to hear from Hyatt on this. I believe this
is working as intended - bindings run with the privilige of the page they're
attached to. We should make sure chrome never makes use of non-chrome bindings,
but otherwise we're OK and this bug should probably be marked invalid.
hyatt?
See bug 172673, the XBL binding should get the attached to document's
privileges. -> invalid.
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → INVALID
Summary: The XBL binding gets the same privileges as the content to which it is attached to. → The XBL binding should not get the same privileges as the content to which it is attached to.
Group: security
You need to log in before you can comment on or make changes to this bug.