Closed
Bug 194435
Opened 22 years ago
Closed 13 years ago
XBL security review action items
Categories
(Core :: XBL, defect)
Core
XBL
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
firefox-esr10 | --- | wontfix |
People
(Reporter: hjtoi-bugzilla, Unassigned)
References
Details
(Whiteboard: [sg:investigation])
Should we limit where bindings can be loaded from? Like remote content should
not be able to load chrome? Currently we rely on remote content being able to
load chrome bindings so this might not be feasible. Is this a security risk?
Can you share bindings with same name, so that content XBL could hide/replace
chrome XBL?
It seems like we support relative URLs. It would probably be safer to support
only absolute URLs in chrome.
Is it easy to spoof users so that they would think they have tabs active while
the tabs come from content?
Can you use XBL loading to test if file exists? Can you load files from where
you should not be able to?
We share bindings for prototypes, should we make it so we don't share in content
(we want to do it in chrome), maybe copy on write?
Does the loading of XBL fail if the file does not match XBL DTD? This would
provide added security, and we want to make sure this is the case (wrong mime
type, arbitrary XML).
Make a pref to enable JS to only load from same origin
Make a pref that lists "trusted/intranet" domains, and make it so that scripts
from other domains won't be able to load anything from "trusted/intranet zone".
Should we disdable XBL loading from style attribute?
If JS disabled, shouldn't XBL also be disabled? Currently XBL alone can at least
reorder content.
Can HTML content get to scrollbars? Seems like XUL documents can manipulate
their own scrollbars. Maybe this should be disabled for remote XUL.
XBL form controls will need special handling so that they still work if JS is
disabled.
Updated•22 years ago
|
Whiteboard: [sg:investigation]
Updated•18 years ago
|
Assignee: bryner → general
Target Milestone: mozilla1.4beta → ---
Comment 2•13 years ago
|
||
All this stuff was disabled (from content) in Firefox 4.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Updated•13 years ago
|
status-firefox-esr10:
--- → wontfix
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•9 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•