Closed Bug 206586 Opened 20 years ago Closed 3 years ago

Allow XBL bindings to dynamically alter their anonymous content structure

Categories

(Core :: XBL, enhancement)

enhancement
Not set
normal

Tracking

()

RESOLVED WONTFIX

People

(Reporter: benjamin, Unassigned)

References

Details

INTRODUCTION:
I was trying to implement an new version of the <xul:tabbox> element.  Instead
of one long row of tabs that get smaller and smaller, after 10 tabs a new row of
tabs would be born, and so forth.

PROBLEM:
There is no method for an XBL implementation to alter the location of explicit
content in the anonymous content structure. I tried
anonNode.AppendChild(explicitChild) but that changes the explicitChild into an
anonymous element.

SOLUTION:
Implement the ElementXBL interface and add the following methods to operate on
anonymous/explicit content: appendChildXBL, insertBeforeXBL, removeChildXBL,
replaceChildXBL (original spec here:
http://www.mozilla.org/projects/xbl/xbl.html#dom-elementxbl)

MAJOR PROBLEMS:
This opens up all sorts of security questions, which were discussed a bit on
#mozilla. I will attempt to summarize: 

1) There was not agreement about what context XBL scripts themselves ought to 
   operate under. I argue for the context of the URL by which they were loaded.
   Thus chrome://foo.xbl would operate under chrome security privileges, while
   http://123.com/foo.xbl would operate under 123.com security privileges.
   A per-method/per-property flag should be added... whether the property/method
   is private
2) There was disagreement about whether content is/should be allowed to load XBL
   from other domains. Currently, it seems that you can load any XBL you want
   style="-moz-binding: url(&quot;file:///blah-de-blah&quot;) works on Mozilla
   1.3 This is IMO a potentially serious security hole. I'm marking this
   a security bug.
3) Not all scripts should have access to the proposed ElementXBL interface. A
   same-source check against the URL of the XBL document is what I propose; I
   still need to work out what happens in the case of multiple bindings on an
   element. Perhaps ElementXBL would only be exposed on anonymous nodes, not
   any explicit nodes.
4) #3 involves associating each anonymous node with a specific binding, rather
   than just saying "I'm anonymous". I'm still looking at how hard this might
   be.
5) If chrome XBL JS runs under chrome privileges, we either need a security
   audit of all chrome XBL bindings (not pretty), or 

I'm willing to do a lot of the work for this, but will probably need to ask
questions about implementing the DOMCI security stuff. Please let me know if you
think this is totally infeasible. I assume that I will need to file dependent
bugs on some of these issues, so this might become a tracking bug.
Security-sensitive, bug no security people cc'd?

Wasn't XBL loading restricted during 1.4?

Point (5) trailed off -- what was the "or" clause?

/be
2) should be fixed (bug 200691). Could you please test with recent trunk build?
2) has been fixed, sorry for testing on old builds

5) either needs a security-audit of all our chrome XBL (blech) or some sort of
   flag: <binding id="whatever" runas="(binding|page)"> to determine whether
   scripts in the binding should run in the security context of the page or their
   own URL. This would default to "page" as that is the current effective setting.

checking XBL scripts against the XBL URI (point #1) is not actually necessary
for this bug. It is necessary for things like <input type="file"> implemented as
XBL, and other XBL that might want to use chrome privileges but shouldn't offer
these privileges to the containing page.
I'm nervous about allowing XUL files in content to load bindings from chrome and
have those bindings run as chrome. That seems dangerous and violates the
philosophy we use just about everywhere - content included by reference gets the
privileges of the including document.

To the other folks CC'd on the bug: Do you think being able to load XBL from a
third-party host is a serious security problem? I don't think so; a page can
load .js files from anywahere, and while this could be used to read certain
files inside a firewall, in practice it would be very difficult to exploit.
Thoughts?
> I'm nervous about allowing XUL files in content to load bindings from chrome and
> have those bindings run as chrome. That seems dangerous and violates the

I think there is a good case for treating XBL as its own security context. The
prime example is <input type="file"> implemented in XBL, which 1) needs chrome
privileges to run and 2) must not be interfered-with by user-space XBL.

As I said, this is not necessary for this bug. But it does affect how I
implement this, granting scripts access to the ElementXBL interface. So the XBL
module owners need to make a decision, and I will implement it either way.

--BDS
Group: security
Depends on: 206687
Here's an example of why permissions are so tricky.
Textboxes have a context menu, which performs restricted tasks (clipboard).
Obviously we don't want to grant access to the clipboard from content.
If you grant the binding some sort of permissions, you then have to explain to
Mozilla that your menuitem command handler can access the clipboard while
preventing content from simulating a command event on that menuitem.
I hope that those methods and anonymous nodes will be inaccessible from content.
(The way the bindings have been structured helps in this respect).
I have an issue or two with the proposed extensions, myself.  :)

firstChildXBL, lastChildXBL, previousSiblingXBL, nextSiblingXBL seem like a
touch of features not needed; ditto for insertBeforeXBL, replaceChildXBL,
removeChildXBL.

IMHO, we should keep XBL-inserted anon content accessible as properties of the
node.xblChildNodes and node.anonymousParent properties.  The seven proposed
extensions are really unnecessary.  Use these properties to transition to the
anonymous content sections, and go from there.

But that's just the purist in me talking.  I can see how they'd be useful.  In
any case, including getters and setters and DOM function calls to do this anyway
would be interesting.
Right now XBL scripts are restricted to match the privileges of the document in
which they are bound, so if content loads a chrome binding, the XBL has only
content privileges.  To do otherwise is to open up a huge can of worms, since an
XBL chrome binding could have an e.g., formatHardDrive() method that could then
be invoked by the Web page.

The security model idea that Stuart Ballard et. al. had proposed at one point
was that the attacher of the binding would determine the security privilege, but
even that has some of the same issues (e.g., the textfield clipboard problem).

Privileged XBL might work if content was denied permission to any privileged 
element (except possibly to dispatch an event).
Part of XBL2, which will need a consistent plan and implementor at some point.
Assignee: benjamin → nobody
QA Contact: ian → xbl

XBL is now disabled in Firefox (Bug 1583314) and is in the process of being removed from Gecko (Bug 1566221), so closing bugs requesting changes to its implementation as wontfix.

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.