Closed Bug 221428 Opened 21 years ago Closed 18 years ago

[FIX]Define security policy for stylesheets [was: Security check for same-origin access mistreats data: URIs]

Categories

(Core :: Security, defect, P2)

Product:
Core
Component:
Security
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9alpha3

People

(Reporter: bzbarsky, Assigned: bzbarsky)

References

(Blocks 1 open bug)

Details

(Keywords: testcase)

Attachments

(2 files, 2 obsolete files)

Testcase
311 bytes, text/html
Details
Updated to tip
64.83 KB, patch
Details | Diff | Splinter Review
Testcase coming up. The short story is that the fix for bug 135267 makes it impossible to script a stylesheet loaded via a data: uri, since that in fact has a different origin than the page. I'm not sure how CheckSameOrigin() should work exactly and whether it would be safe for it to succeed when the uri is a data: uri (since presumably cases when data: is running script would use the principal, and data: should inherit the page principal).
Attached file Testcase
Shouldn't the origin of the data: URL be the origin of the page that references it via an attribute value; or if it was set dynamicly, the origin of the script that set it? /be
That's also possible, yes... the problem is that there is no way to get that information from a URI object...
shouldn't you have a reference to the nsIChannel used to load the document?
Perhaps, but how does that help here? The data: url can come from a stylesheet (eg @import) too...
Keywords: testcase
bz: well, since nsIChannel::owner holds a reference to the nsIPrincipal, if you can get ahold of the nsIChannel for the document from which the data: URL was extracted, then you can just use the principal from that nsIChannel to set the principal on the nsDataChannel. (i don't know off hand if the principal's can be shared, or if a new principal must be constructed with the same origin, but that detail should be inconsequential i would think.)
Like I said, the data: can come from a stylesheet, not a document.... And from the data: uri itself I don't see how I can get at the principal. I suppose stylesheets could keep a pointer to their principal, but that may be a little wasteful of memory..
i was using "document" loosely to include the stylesheet "document" ;-) >I suppose stylesheets could keep a pointer to their principal, but that may be a >little wasteful of memory.. this seems like the right solution to me. is it really that bloaty to keep a reference in the stylesheet to the nsIPrincipal used when loading the stylesheet?
Blocks: 201903
Blocks: 174388
So I think we _do_ want to have stylesheets store their principal... Just need to do it.
What about stylesheets with javascript: URIs? Should that script run with the loader's principal? Or will that be a problem for myspace and company?
Assignee: security-bugs → dveditz
QA Contact: carosendahl → toolkit
Another question. When doing a security check for a stylesheet load, should we use the principal of the stylesheet, or the principal of the document that loaded the stylesheet? Or some intersection (meet in brendan's terms)? Or should we simply set the principal of the sheet to the intersection to start with, except for user/ua sheets? Note that bug 204140 and bug 310165 are basically requesting that we use the sheet's principal. Requesting blocking, since this bug is sort of turning into a "define a security policy for stylesheets" bug, which is something I think we should absolutely do for 1.9.
Blocks: 204140, 310165
Flags: blocking1.9?
Summary: Security check for same-origin access mistreats data: URIs → Define security policy for stylesheets [was: Security check for same-origin access mistreats data: URIs]
Blocks: 292789
Depends on: 369242
Patch will depend on bug 369244 to not execute JS...
Depends on: 369244
Depends on: 369247
Attached patch Checkpoint (obsolete) — Splinter Review
Attached patch basically works; once the dependencies land I'll write some tests and then look for reviews. Propagating the principal to the non-@import loads is going to be a separate bug (like bug 204140 and bug 310165). For now I'm just trying to get the principal for the stylesheet right without allowing "@import url('javascript:...');" to execute.
Boris, since you started working on this you win the grand price :)
Assignee: dveditz → bzbarsky
Flags: blocking1.9? → blocking1.9-
Whiteboard: [wanted-1.9]
Attached patch Ready for review (obsolete) — Splinter Review
Again, first-come, first-served. ;) Summary of changes: - Add a principal to style sheet inners - Make stylesheets always have inners and principals and remove null checks - Propagate principals through the CSSLoader - Change the CSSLoader's "same URI means it's the same sheet" setup to match on both URI and originating principal. Not that the latter should really change much...
Attachment #253932 - Attachment is obsolete: true
Attachment #256892 - Flags: superreview?(jonas)
Attachment #256892 - Flags: review?(peterv)
Priority: -- → P2
Summary: Define security policy for stylesheets [was: Security check for same-origin access mistreats data: URIs] → [FIX]Define security policy for stylesheets [was: Security check for same-origin access mistreats data: URIs]
Target Milestone: --- → mozilla1.9alpha3
Blocks: 376484
Blocks: 377091
I have started reviewing.
Attachment #256892 - Flags: review?(peterv) → review+
Peter, should I count that as an r+sr? Or do you want Jonas to look at this too?
Comment on attachment 256892 [details] [diff] [review] Ready for review Yeah, I can do r+sr.
Attachment #256892 - Flags: superreview?(jonas) → superreview+
Attached patch Updated to tipSplinter Review
Attachment #256892 - Attachment is obsolete: true
Checked in.
Status: NEW → RESOLVED
Closed: 18 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Depends on: 379582
Flags: wanted1.9+
Whiteboard: [wanted-1.9]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: