Closed
Bug 271411
Opened 20 years ago
Closed 20 years ago
Same-origin checking for XForms submission
Categories
(Core Graveyard :: XForms, defect)
Core Graveyard
XForms
Tracking
(Not tracked)
RESOLVED
FIXED
mozilla1.8beta1
People
(Reporter: darin.moz, Assigned: darin.moz)
Details
Attachments
(1 file, 1 obsolete file)
|
9.42 KB,
patch
|
bryner
:
review+
|
Details | Diff | Splinter Review |
Same-origin checking for XForms submission Because XForms submission enables the free form construction of XML data to be submitted as part of a HTTP request, we should take care to limit where those requests may be sent. Moreover, since XForms enables the response to be seen by the form (via replace="instance"), we should take care to limit where those responses may come from. In other words, it seems that XForms submission should have a security policy that is similar to document.load or XMLHttpRequest. However, since XForms submission can be triggered without the use of JavaScript, we cannot necessarily rely on having a JS context to base our security decisions on. That's unfortunate, but it shouldn't be a major problem. Patch coming up...
|
Assignee | |
Comment 1•20 years ago
|
||
|
|
Assignee | |
Comment 2•20 years ago
|
||
Comment on attachment 166864 [details] [diff] [review] v1 patch NOTE: this patch is impossible to override. at some point we will want to invent a way to allow the browser to be configured to enable certain sites or domains to support cross-origin XForms submission. Also, this patch only limits XML submission or replace="instance" ... replace="all/none" + method="get/form-data-post" need not be restricted.
Attachment #166864 -
Flags: superreview?(jst)
Attachment #166864 -
Flags: review?(bryner)
|
|
Assignee | |
Updated•20 years ago
|
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla1.8beta
|
||
Comment 3•20 years ago
|
||
Comment on attachment 166864 [details] [diff] [review] v1 patch sr=jst
Attachment #166864 -
Flags: superreview?(jst) → superreview+
|
||
Updated•20 years ago
|
Attachment #166864 -
Flags: review?(bryner) → review+
|
|
Assignee | |
Comment 4•20 years ago
|
||
Comment on attachment 166864 [details] [diff] [review] v1 patch Spoke with jst, and we came up with a better solution. We can use CheckConnect with the JSContext associated with the script global of our document. This is defined even when there is no JS on the page. Using CheckConnect is preferrable since there is already a mechanism to override it using prefs.
Attachment #166864 -
Attachment is obsolete: true
|
|
Assignee | |
Comment 5•20 years ago
|
||
Actually, CheckConnect is not what we want. More in a bit...
|
|
Assignee | |
Comment 6•20 years ago
|
||
Similar patch, but includes calls to nsIPermissionManager::TestPermission so that the same-origin restriction can be disabled per-host. NOTE: this does not allow us to disable same-origin checking for protocols that do not have a host (e.g., file:///).
|
|
Assignee | |
Comment 7•20 years ago
|
||
The v2 patch also fixes two unrelated problems that I observed:
(1) We were not handling relative URIs specified as the "src" of a <instance>
element.
(2) nsXFormsSetValueElement needs to null check the result of an xpath
evaluation.|
|
Assignee | |
Updated•20 years ago
|
Attachment #167459 -
Flags: review?(bryner)
|
|
||
Updated•20 years ago
|
Attachment #167459 -
Flags: review?(bryner) → review+
|
|
Assignee | |
Comment 8•20 years ago
|
||
fixed-on-trunk
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
|
||
Updated•8 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•