Closed Bug 194435 Opened 22 years ago Closed 13 years ago

XBL security review action items

Categories

(Core :: XBL, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED
Tracking Status
firefox-esr10 --- wontfix

People

(Reporter: hjtoi-bugzilla, Unassigned)

References

Details

(Whiteboard: [sg:investigation])

Should we limit where bindings can be loaded from? Like remote content should not be able to load chrome? Currently we rely on remote content being able to load chrome bindings so this might not be feasible. Is this a security risk? Can you share bindings with same name, so that content XBL could hide/replace chrome XBL? It seems like we support relative URLs. It would probably be safer to support only absolute URLs in chrome. Is it easy to spoof users so that they would think they have tabs active while the tabs come from content? Can you use XBL loading to test if file exists? Can you load files from where you should not be able to? We share bindings for prototypes, should we make it so we don't share in content (we want to do it in chrome), maybe copy on write? Does the loading of XBL fail if the file does not match XBL DTD? This would provide added security, and we want to make sure this is the case (wrong mime type, arbitrary XML). Make a pref to enable JS to only load from same origin Make a pref that lists "trusted/intranet" domains, and make it so that scripts from other domains won't be able to load anything from "trusted/intranet zone". Should we disdable XBL loading from style attribute? If JS disabled, shouldn't XBL also be disabled? Currently XBL alone can at least reorder content. Can HTML content get to scrollbars? Seems like XUL documents can manipulate their own scrollbars. Maybe this should be disabled for remote XUL. XBL form controls will need special handling so that they still work if JS is disabled.
Whiteboard: [sg:investigation]
-> me.
Assignee: hyatt → bryner
Target Milestone: --- → mozilla1.4beta
Assignee: bryner → general
Target Milestone: mozilla1.4beta → ---
All this stuff was disabled (from content) in Firefox 4.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.