Closed Bug 28443 Opened 25 years ago Closed 24 years ago

DOM Properties should default to sameOrigin

Categories

(Core :: Security, defect, P3)

Product:
Core
Component:
Security
Platform:
x86
Windows NT
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: norrisboyd, Assigned: security-bugs)

References

Details

(Whiteboard: [nsbeta2+]) 

Yes, I have examined the DOM properties.
Some document properties that are now exposed for any host should be
hidden, I do not see any reason to be accessible.
I mean the following properties of the document object and propose
changes to all.js:

images - collection
alinkColor
linkColor
vlinkColor
bgColor
fgColor
layers
width
height
styleSheets - collection (probably a small vulnerability).


My personal opinion is that instead of disabling access to properties in
all.js it would be better to disable access to all properties and
methods and allow access only to "trusted" ones (of course I mean the
Same Origin policy). I do not see any reason for scripts from other
hosts to have access to document and window (probably only location)
objects. The last version of IE is made this way (previous versions were
not that strict).
Bulk moving all Browser Security bugs to new Security: General component.  The 
previous Security component for Browser will be deleted.
Component: Security → Security: General
Status: NEW → ASSIGNED
Target Milestone: M15
Keywords: beta2
Moving to M16 so that M15 can branch
Target Milestone: M15 → M16
Keywords: nsbeta2
Bulk reassigning most of norris's bugs to mstoltz.
Assignee: norris → mstoltz
Status: ASSIGNED → NEW
Putting on nsbeta2+ for 5/16 radar.
Whiteboard: [nsbeta2][5/16]
Upating [nsbeta2] to read [nsbeta2+] in Status Whiteboard.
Whiteboard: [nsbeta2][5/16] → [nsbeta2+][5/16]
Will review...hopefully with some input from DOM folks.
Status: NEW → ASSIGNED
Nisheeth,
   What do you think about setting the properties listed in this bug to 
SameOrigin access only? Will this break anything? Should I make this change?

I don't see anything wrong with your proposed change.  Johnny and Tom, what do 
you guys think?  CCing Vidur to see if he has any comments.
I dont's see a problem with the proposal either, but one thing I noticed from
reading the first comment in thins bug is that the Document (nor HTMLDocument),
interface in mozilla doesn't have a "layers" property. I think there used to be
one even in mozilla but it's not there any more. And also, now when the DOM in
mozilla has been updated to DOM Level 2 there are even more properties in almost
all DOM Core interfaces (Document included) whose protection should at least be
investigated, should we include that here, or should we do that separately?
Sure, let's add discussionhere on additional DOM properties which may require 
protection. CCing Cathy Zhang, who is doing a systematic review of our DOM 
security defaults.

Changed QA contact to Cathy.
QA Contact: junruh → czhang
Putting on [nsbeta2-] radar. Removing [5/16]. Will take for RTM assuming low 
risk.
Keywords: nsbeta3, rtm
Whiteboard: [nsbeta2+][5/16] → [nsbeta2-]
Yes, it's low risk, and would greatly improve our security. I am discussing 
Georgi's proposal with Vidur, to make all DOM properties and methods subject to 
the same-origin check by default, then enumerate the (probably small) list of 
properties which must be cross-site accessible in the default preferences. I 
changed the name of the bug to reflect this plan.
Summary: DOM Properties need additional protection → DOM Porperties should default to sameOrigin
Moving to M17. Not an M16 stopper.
Target Milestone: M16 → M17
Assigning QA to czhang
Whiteboard: [nsbeta2-]
Clearing nsbeta2- and requesting re-evaluation for nsbeta2 approval. Vidur and I 
agree that this change will probably prevent numerous security holes in the 
future.

Strong endorsement of permitting checkin for nsbeta2 as it's supposed to be FC, 
and that includes security policy. Here's why:
1) it's good to strengthen our security where we can at low risk to minimize 
possible post-FCs respins
2) but we want to check in such changes earlier, not later, to catch any 
unexpected issues (even though we don't expect any, one of course never does 
...)
3) this is judged high value and low risk
4) we're still prior to FC cutoff
Blocks: 41230
Blocks: 42506
Summary: DOM Porperties should default to sameOrigin → DOM Properties should default to sameOrigin
[nsbeta2+]
Whiteboard: [nsbeta2+]
Blocks: 20682
Blocks: 38828
Blocks: 44271
Blocks: 23516
This change has been checked in. Marking FIXED.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
verified.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.