Closed Bug 177640 Opened 23 years ago Closed 23 years ago

Currently we rely on remote content being able to load chrome bindings so this might not be feasible. Is this a security risk?

Categories

(Core :: XBL, defect)

Product:
Core
Component:
XBL
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: bsharma, Assigned: jag+mozilla)

Details

This issue was reported after the Security review of XBL, jag asked me to make a bug out of the issue. Should we limit where bindings can be loaded from? Like remote content should not be able to load chrome?
I don't think this is an issue. The bindings and xul, and the JS in it, will run with the remote document's privileges (or lack thereof).
True, but if we fix bug 177639, this could be an issue...
I can't see bug 177639, so I can't comment yet except to concur with Jag... bindings run with the permissions of the document to which they are bound. This is similar to loading a chrome overlay from remote content. In both cases, the script runs with the permissions of the remote document, so you should be safe.
(you should be able to see bug 177639 now)
This works as designed, remote documents should be able to use documents, scripts, xbl, etc. from chrome://. We do want to add a no-UI pref to disable this ability; bug to be filed. -> wontfix
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → WONTFIX
Group: security
You need to log in before you can comment on or make changes to this bug.