All users were logged out of Bugzilla on October 13th, 2018

XBL security review action items

RESOLVED FIXED

Status

()

RESOLVED FIXED
16 years ago
2 years ago

People

(Reporter: hjtoi-bugzilla, Unassigned)

Tracking

(Blocks: 1 bug)

Trunk
Points:
---

Firefox Tracking Flags

(firefox-esr10 wontfix)

Details

(Whiteboard: [sg:investigation])

Should we limit where bindings can be loaded from? Like remote content should
not be able to load chrome? Currently we rely on remote content being able to
load chrome bindings so this might not be feasible. Is this a security risk?

Can you share bindings with same name, so that content XBL could hide/replace
chrome XBL?

It seems like we support relative URLs. It would probably be safer to support
only absolute URLs in chrome.

Is it easy to spoof users so that they would think they have tabs active while
the tabs come from content?

Can you use XBL loading to test if file exists? Can you load files from where
you should not be able to?

We share bindings for prototypes, should we make it so we don't share in content
(we want to do it in chrome), maybe copy on write?

Does the loading of XBL fail if the file does not match XBL DTD? This would
provide added security, and we want to make sure this is the case (wrong mime
type, arbitrary XML).

Make a pref to enable JS to only load from same origin

Make a pref that lists "trusted/intranet" domains, and make it so that scripts
from other domains won't be able to load anything from "trusted/intranet zone".

Should we disdable XBL loading from style attribute?

If JS disabled, shouldn't XBL also be disabled? Currently XBL alone can at least
reorder content.

Can HTML content get to scrollbars? Seems like XUL documents can manipulate
their own scrollbars. Maybe this should be disabled for remote XUL.

XBL form controls will need special handling so that they still work if JS is
disabled.
Whiteboard: [sg:investigation]
-> me.
Assignee: hyatt → bryner
Target Milestone: --- → mozilla1.4beta
Assignee: bryner → general
Target Milestone: mozilla1.4beta → ---
All this stuff was disabled (from content) in Firefox 4.
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED

Updated

7 years ago
status-firefox-esr10: --- → wontfix

Updated

3 years ago
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.