Closed Bug 295994 (CVE-2008-5505) Opened 18 years ago Closed 15 years ago

Can store cookie-like information via xul persist attribute

Categories

(Core :: XUL, defect, P3)

Product:
Core
Component:
XUL
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9.1b2

People

(Reporter: pop2.bugzilla, Assigned: mayhemer)

References

Details

(4 keywords, Whiteboard: [sg:low][dbaron-1.9:RsCe])

Attachments

(5 files, 11 obsolete files)

Example file
579 bytes, application/vnd.mozilla.xul+xml
Details
Part 1, final patch as checked in
25.70 KB, patch
Details | Diff | Splinter Review
Part 2, rev. 2.2 - Use cookies to persist/restore in nsXULDocument
20.44 KB, patch
benjamin
: review+
dbaron
: superreview-
Details | Diff | Splinter Review
ver3 final
5.94 KB, patch
sicking
: review+
sicking
: superreview+
dveditz
: approval1.9.0.5+
Details | Diff | Splinter Review
ver3.1, for 1.8.1
6.17 KB, patch
sicking
: review+
dveditz
: approval1.8.1.next+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.8) Gecko/20050511
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.8) Gecko/20050511

When user turns off cookies, I still can write cookie-like information by using
the xul persist attribute on a remote page.

Reproducible: Always

Steps to Reproduce:
<xul:element id="test" persist="att1,att2" />
Store:
document.getElementById('test').setAttribute('att1','xxx');
Restore:
alert(document.getElementById('test').getAttribute('att1'));


Expected Results:  
I expect a remote XUL page being able to work with the persist attribute but
onla when the user allows cookies from this site.
They're entirely separate concepts and expecting that a policy about cookies
automatically applies to any form of persistent data is a false assumption.

That said, this seems to be more of a privacy issue than of actual security. 
There's also the aspect that even if you load "foo.xul" in a hidden iframe from
a third party (in order to track in a pseudo-cookie manner) this is of far less
value, since manipulating the content in the hidden iframe would/should fail a
same-origin check.
There are definite privacy implications here. Not so much in the default case
since cookies are on by default, but this easily bypasses restrictions on cookie
size and number, and could not be managed or deleted by users.
Status: UNCONFIRMED → NEW
Component: Security → XP Toolkit/Widgets: XUL
Ever confirmed: true
Flags: blocking-aviary1.1?
Keywords: privacy
Product: Firefox → Core
QA Contact: firefox → xptoolkit.xul
Whiteboard: [sg:fix]
Version: unspecified → Trunk
Hish, I tried to create a testcase to illustrate this but failed to reproduce
the described behavior. I'm not much of a XUL coder, so it is probably my
failing. Could you attach a XUL file containing a working testcase illustrating
the problem?
Attached file Example file 

    
    

    
  
We should require at least UniversalBrowserWrite to persist information, if not
restrict it to chrome entirely. nsXULTreeBuilder already requires chrome privs
to use anything other than an in-memory datasource, so that's a consistent
choice and quite possibly the easiest.
http://lxr.mozilla.org/mozilla/source/content/xul/templates/src/nsXULTreeBuilder.cpp#798

Looks like we'd want checks in nsXULDocument and nsXULContentBuilder
Flags: blocking1.8b4+
Flags: blocking1.7.10+
Flags: blocking-aviary1.0.6+

    
    

    
  
xul:persist is an important part of remote XUL and we should not remove the
capability arbitrarily. If we want to come up with some solution to restrict it
based on cookie prefs etc. that's ok.

    
    

    
  
(In reply to comment #6)
> If we want to come up with some solution to restrict it
> based on cookie prefs etc. that's ok.

Exactly. Restricting it to UniversalBrowserWrite would again mean to cut a
feature. At the end of the day this persistency is nothing else but a cookie
which the user might reject. Best would be if could optionally be able to treat
it like a session cookie. 



    
    

    
  
Treat it like a cookie? You mean let any site store as much as they want (unlike
cookies which have a limit) without the average user knowing (this wouldn't show
up in the cookie viewer) until the whole thing blows up on us like the Flash
"PIE" thing recently did? Except Flash *did* have a built in mechanism for
limiting remote storage and simply chose generous defaults, and we don't even
have that.

I was going to recommend that XUL apps just *use* cookies and take advantage of
all of the existing user controls and security checks, but the document.cookie
mechanism is apparently not supported in XUL. It probably should be, it looks
like a whole lot less work than adding a parallel set of controls and limits.

    
    

    
  
IMHO the best solution here would be to extend our various cookie mechanisms
such that we can treat persistent attributes just like cookies. This means
limiting the storage size of each individual sites usage and the total storage
size (though chrome xul should override these limits). It also means making
persisted attributes show up in the cookie manager and make them be cleared
along with cookies in the FF privacy-thingie (don't remember the name).

I do realize that this might be non-trivial though.

But if this is done well enough we could also let pages persist other things,
such as form-values and even parts of the DOM tree.

    
    

    
  
I should add that doing that would probably be more of a long term solution. For
now maybe we could make xul support .cookies and limit persitent attributes to
chrome?

    
    

    
  
#8:  Use cookies within xul. Sounds good.
#10: What do you think we need persists here? Window sizes and positions,
selected states etc. within remote apps. When you limit that to chrome then
another important feature of remote apps is broken. 
Like Daniel Veditz I think that storing unlimited data via persist is dangerous. 
But what I'm talking about less than 1k per app. 
So why not treating persist like a cookie. They have their defined limitations,
the user knows (or should know) what they are, and in fact 'xul persist' is
nothing else.

I'm viewing the whole discussion from my well known remote-app perspective and
I'm really curious if we end like most of the time in disabling a feature
instead of fixing the problem.

    
    

    
  
I defenetly agree that the best solution is not to kill the persist feature, but
to fix it. However it's a matter of what we can do quick enough for a security
release.

If we enable cookies instead of persist you can still do the exact same thing
and persist positions etc, you just have to go through a little bit of a trouble
to copy attribute-values into a cookie when the window is closed and then copy
it back from the cookie when its opened. You could probably even write a utility
function that did this automatically.

But yeah, ideally i'd like to see the RightThing done right away.

Maybe a relativly simple fix is to hack the persist code so that it behaves
similar to the cookie code for now.

    
    

    
  
It seems to me that implementing xul:persist in terms of cookies would not be
all that hard for remote content, I can look at that possibility for 1.0.6/1.1b.

    
  
Flags: blocking-aviary1.1?

    
  
Assignee: nobody → benjamin
Priority: -- → P1
Whiteboard: [sg:fix] → [sg:fix] ETA 7/29/2005
Target Milestone: --- → mozilla1.8beta4

    
    

    
  


  

        Attachment #190600 -
        Attachment is obsolete: true

        Attachment #190745 -
        Flags: superreview?(darin)

        Attachment #190745 -
        Flags: review?(mvl)

    
    

    
  


  
I am going to attach two versions of this patch: this one (the smaller one)
keeps the existing "restore" codepath from localstore which restores attributes
even if they don't have a persist attribute any more.

The second version uses a nsContentList enumerator and walks the tree to
restore persist in both the localstore and cookie cases, which will fix the
mostly-duplicate bug 231333, bug 231334, and bug 251273, but has a much higher
chance of causing Ts/TXul regressions.

    
  

        Attachment #190749 -
        Flags: review?(bzbarsky)

    
  

        Attachment #190600 -
        Flags: review?(darin)

    
  
Flags: blocking1.7.11+ → blocking1.7.12+

    
    

    
  
Comment on attachment 190749 [details] [diff] [review]
Part 2, rev.1 - Use cookies to persist/restore in nsXULDocument

This is wrong, needs a little more work.

        Attachment #190749 -
        Attachment is obsolete: true

        Attachment #190749 -
        Flags: review?(bzbarsky)

    
    

    
  


  
This combines "option 1" and "option 2" in one patch, with an #ifdef... the
safe-old-way is to not-define LOAD_PERSIST_BY_CONTENTLIST

        Attachment #190844 -
        Flags: review?(bzbarsky)

    
  
Whiteboard: [sg:fix] ETA 7/29/2005 → [sg:fix] has patches, needs review darin, mvl or dwitte, one or more of dbaron/bz/jst/peterv/sicking

    
    

    
  
I'm not sure I'll be able to get to this before I leave (and hence before I get
back on Aug 14th).

    
  

        Attachment #190844 -
        Flags: review?(bzbarsky) → review?(dbaron)

    
    

    
  
Comment on attachment 190844 [details] [diff] [review]
Part 2, rev.2 - Use cookies to persist/restore in nsXULDocument

>+    // The format of a persist cookie is <URIspec>#<ID>#<attname>
>+    nsCAutoString cookiename;
>+    rv = mDocumentURI->GetSpec(cookiename);

So a URI with a '#' in it is going to mess you up, right? I guess it's not too
likely to happen in normal practice, but could anything malicious be done with
it? Are there elements we don't allow to persist that this could be used to get
some persistence for anyway?

We probably want to set the cookie path from the documentURI so this cookie
doesn't pollute higher level pages on the site. If we've got the right path
would it be enough to use just the filename instead of the full URI? That
assumes we can QI to nsIURL and get the extra filename/query/ref etc bits out
of the location, but for http: and ftp: we can.

Is there a better separator that's not legal in either URIs or ID's?

What happens for non-chrome XUL documents that don't have a host? We wouldn't
want a local file:// testpage to accidentally share a jar:http://foo.com/
persist cookie (although maybe we handle jar:http: cookies correctly). Maybe
the full URI in the cookie name is the right thing afterall, though verbose.

>+    // we pick a value for expire that is 100 years in the future.

Seems a little extreme.

    
    

    
  
> So a URI with a '#' in it is going to mess you up, right? I guess it's not too

No. We always form the URI the same way, we never "parse" a cookie looking for
URL/ID/attribute.

> We probably want to set the cookie path from the documentURI so this cookie
> doesn't pollute higher level pages on the site. If we've got the right path
> would it be enough to use just the filename instead of the full URI? That
> assumes we can QI to nsIURL and get the extra filename/query/ref etc bits out
> of the location, but for http: and ftp: we can.

Sounds reasonable.

> >+    // we pick a value for expire that is 100 years in the future.
> 
> Seems a little extreme.

I wanted "forever", but we don't really support that. What is extreme about it?
The user's max-age cookie preferences are still obeyed.


    
    

    
  


  
I misread your comment a bit... I think we should still always set the full URL
in the cookie, but I have also set the cookie path/ when available to avoid
polluting the cookiespace more than necessary.

        Attachment #190844 -
        Attachment is obsolete: true

        Attachment #190944 -
        Flags: superreview?(dbaron)

        Attachment #190944 -
        Flags: review?(dveditz)

    
  

        Attachment #190844 -
        Flags: review?(dbaron)

    
    

    
  
Hmm... so the new Cookie Service interface exists for performance?  Is the cost
of building up a cookie string really that significant?

    
    

    
  
Setting cookies doesn't look especially perf-intensive: *parsing* the cookie
string does look quite complicated and very hard to make perf-efficient.

    
    

    
  
Parsing cookie strings is expensive relative to what?  To page load time? 
Surely not.  That said, it's not that I'm against the new API.  It just seems
like extra engineering for very little gain :-/

    
    

    
  
Maybe it can be made not part of a critical codepath if we arrange the code
correctly (get the cookies before entering the contentlist loop), but it's still
a lot of parsing code which I frankly don't know how to write (I never learned
to use cookies from the DOM, and there seem to be lots of "extras" that require
special handling), and to do it efficiently I think I'd have to keep a
parsed-cookie hashtable on the stack while I'm resolving persistence. Overall I
tend to think that the current approach reduces the overall amount of code and
performs better.

    
    

    
  
I'd like to comment on the cookie parts of this patch... (sometime this week).

    
    

    
  
bsmedberg: ok, i agree.  making you parse cookie strings is silly.  for some
reason i was only thinking about setting cookies :(

    
    

    
  
Comment on attachment 190944 [details] [diff] [review]
Part 2, rev. 2.1 - Use cookies to persist/restore in nsXULDocument

r=dveditz

        Attachment #190944 -
        Flags: review?(dveditz) → review+

    
    

    
  
Comment on attachment 190745 [details] [diff] [review]
Part 1, rev. 2 - Add additional "safe" helper methods to the cookie service

moving review request to dwitte, who said he wanted to look at the patch.

        Attachment #190745 -
        Flags: review?(mvl) → review?(dwitte)

    
    

    
  
Comment on attachment 190745 [details] [diff] [review]
Part 1, rev. 2 - Add additional "safe" helper methods to the cookie service

>Index: netwerk/cookie/public/nsICookieService2.idl
>===================================================================
>+[scriptable, uuid(7cf4b3d9-bdc6-4763-b912-47c526aacc37)]
>+interface nsICookieService2 : nsICookieService

why does this need to be scriptable? if possible, i'd prefer this interface to
be internal - it exposes details of cookies that can easily change in future,
so there should be no illusion of API compat. (i'm not sure if we have a
convention either way, but perhaps nsICookieServiceInternal would be a better
name?)

>+  void setCookieValue(in nsIURI aURI, in nsIPrompt aPrompt,

aPrompt is a kinda historical parameter in cookies nowadays, you can remove it
here. (and in your other patch that fetches a prompter to pass in.)

>+   * @return the resulting cookie value
>+   * @throws NS_ERROR_NOT_AVAILABLE if no cookie with this name has been set.
>+   */
>+  ACString getCookieValue(in nsIURI aURI, in nsIChannel aChannel, in ACString aCookieName);

can you document the fact that it returns the first cookie found if there are
multiple matches for the name?

>Index: netwerk/cookie/src/nsCookieService.cpp
>===================================================================
>+void
>+nsCookieService::getCookieList(nsIURI           *aHostURI,

can you call this GetCookieList() to be consistent with other methods?

>+NS_IMETHODIMP
>+nsCookieService::GetCookieValue(nsIURI *aHostURI, nsIChannel *aChannel,
>+                                const nsACString& aName, nsACString& aResult)

nit, can you put the params each on their own line?

>+void
>+nsCookieService::CheckAndAdd(nsIURI               *aHostURI,
>+                             nsIChannel           *aChannel,
>+                             nsCookieAttributes   &aAttributes,

ubernit, you can |const|ify the nsCookieAttributes here i think.

r=me if we resolve the internal-ness of the added interface.

        Attachment #190745 -
        Flags: review?(dwitte) → review+

    
    

    
  
(on that note, could you add a warning comment to the idl indicating that it is
internal and subject to change?)

    
    

    
  
Comment on attachment 190745 [details] [diff] [review]
Part 1, rev. 2 - Add additional "safe" helper methods to the cookie service

sr=darin with dwitte's nits.  I'm okay with the new interface being scriptable,
but yeah... perhaps "Internal" is a better suffix until we are ready for this
to be used outside of Gecko.

        Attachment #190745 -
        Flags: superreview?(darin) → superreview+

    
    

    
  
> aPrompt is a kinda historical parameter in cookies nowadays, you can remove it
> here. (and in your other patch that fetches a prompter to pass in.)

Are we sure that the channel prompter is going to be the same as the xul
document prompter?




    
    

    
  
the channel's prompter is generally whatever the docshell hands out in
GetInterface(nsIPrompt).

    
    

    
  
Part 1 checked in on trunk with nits fixed. I'll attach the final patch shortly.

    
    

    
  


  
Need a couple days to verify this didn't break anything on the trunk. Also,
approving it is kinda silly unless we're going to get part 2 reviewed and
landed on the branch also.

        Attachment #190745 -
        Attachment is obsolete: true

        Attachment #196153 -
        Flags: approval1.8b5?

    
    

    
  


  
This is the same as part 2 rev 2.1 except I've updated it to the
"nsICookieServiceInternal" name change. Carrying over r=dveditz

        Attachment #190944 -
        Attachment is obsolete: true

        Attachment #196156 -
        Flags: superreview?(dbaron)

        Attachment #196156 -
        Flags: review+

    
  
Whiteboard: [sg:fix] has patches, needs review darin, mvl or dwitte, one or more of dbaron/bz/jst/peterv/sicking → [sg:fix] AT RISK has patches, needs review dbaron/bz/jst/peterv/sicking

    
    

    
  
Comment on attachment 196153 [details] [diff] [review]
Part 1, final patch as checked in

please re-request review when this is fully ready to go.

        Attachment #196153 -
        Flags: approval1.8b5?

    
  

        Attachment #190944 -
        Flags: superreview?(dbaron)

    
    

    
  
dbaron, can you help us with a super-review here? Time is running out for 1.8b5.

    
    

    
  
I think that this is getting too scary for this late in the game. Since this is
a privacy and not security issue, I don't think we can block on this.
Flags: blocking1.8b5+ → blocking1.8b5-

    
    

    
  
Comment on attachment 196156 [details] [diff] [review]
Part 2, rev. 2.2 - Use cookies to persist/restore in nsXULDocument

The nsXULDocument.h include changes should probably be removing both
halves, or as much as possible of both so things still compile.

In PersistToCookie, at the very least assert right after
mDocumentURI->GetSpec that cookiename does not contain '#' (but it
should be a runtime check if it could be needed; I'm not sure if it is).
(Likewise for ApplyPersistFromCookies, I think.)

In PersistToCookie, you shouldn't depend on the ID attribute not having
a '#' in it.  You should either add code to escape it or bail out if it
contains a '#'.
(Likewise for ApplyPersistFromCookies, I think.)
Then again, if it's *only* the ID attribute that could have a '#' then
at least persistence couldn't get crossed, so this isn't a problem, as
long as ApplyPersistFromCookies builds up the string rather than
enumerating cookies (which would probably be superior, but isn't what
you're doing).

In PersistToCookie, you should probably put the expiry initialization
within |if (rv == NS_CONTENT_ATTR_HAS_VALUE)| for two reasons:	(1) save
the work of initializing expiry (PR_Now() may not be cheap) and (2) the
way the current code is structured, it's easy for somebody to
accidentally add an assignment to rv between the assignment from
GetAttr's result and the check.

I really don't understand why you use the domain and path values for the
cookie that you do, but SetCookieValue doesn't seem all that well
documented.  Is what you're doing the right way to make the cookie
specific to the page?  If so, say so in a comment, since it's not clear
to me.

In ApplyPersistFromCookies, nsContentList is reference counted; you
shouldn't delete it.  It's also got expensive liveness code; do you
really need that?  (I didn't check that the constructor call actually
makes sense; I didn't find good documentation for what those constructor
parameters mean.)

Why does ApplyPersistFromCookies pass PR_FALSE for aNotify to SetAttr
when ApplyPersistFromLocalstore passes PR_TRUE?

I didn't review the new version of ApplyPersistFromLocalstore; this
should be superreviewed before it is enabled.

Is it a problem that you're changing the behavior when an attribute used
to be part of the persist attribute (and has a persisted value) but no
longer is part of that attribute?  I think this change is probably good,
but it should be documented, it could easily break things, and so far
you're changing only for the cookie case, since the ifdef for new
persistence code for localstore isn't enabled.	You're also currently
changing this only for the persistence to cookie case, since the
CONTENTLIST ifdefs aren't enabled, but it would be easy to make it true
for all cases even with the non-nsContentList code by checking the
persist attribute before restoring.  And enumerating and checking the
persist attribute before restoring might generally be a
better-performing solution for both cases (I'm assuming that elements
with IDs are added to a map when they're created so it's easy to find
them).	(Have you tested the performance of this nsContentList
solution?)

Another place where you're breaking compatibility (although without the
CONTENTLIST ifdef only for the cookie case) is what I'd also consider a
bug fix, but it should probably be document:  previously
persist="abcdef" persisted attributes "abcdef", "a", "c", "cde", etc.,
since nsXULDocument::AttributeChanged only did a substring check.  We'll
*still* be doing the work to persist those (but probably shouldn't be),
but we'll never restore them, at least for some of the persistence
codepaths.  That deserves at least an XXX comment, but we probably
shouldn't persist them at all if we're not going to restore them.

        Attachment #196156 -
        Flags: superreview?(dbaron) → superreview-

    
    

    
  
Question about this patch:

1) Is it going to happen for FF 1.5?

2) How will this impact web traffic if a remote XUL application persists some
stuff?  It seems to me that the web traffic would start to include a bunch of
cookies, or am I missing something?

    
    

    
  
Since 1.8 is past and this is significantly risky, I'm going to let this sit and wait for supercookies to develop before proceeding.
Priority: P1 → P3
Target Milestone: mozilla1.8beta4 → mozilla1.9alpha

    
    

    
  
Without a safe tested patch I don't think this is 1.0.8 material. Moving from blocking back to the nomination list.
Flags: blocking1.7.13?
Flags: blocking1.7.13+
Flags: blocking-aviary1.0.8?
Flags: blocking-aviary1.0.8+
Whiteboard: [sg:fix] AT RISK has patches, needs review dbaron/bz/jst/peterv/sicking → [sg:low] AT RISK has patches, needs review dbaron/bz/jst/peterv/sicking
Flags: blocking1.7.13?
Flags: blocking1.7.13-
Flags: blocking-aviary1.0.8?
Flags: blocking-aviary1.0.8-

    
    

    
  
bug 319846 demonstrates a permanent startup "hang" using XUL persist attributes.
Blocks: 319846
Blocks: 319847
Flags: testcase+

    
    

    
  
(In reply to comment #4)
> Created an attachment (id=188491) [edit]
> Example file
> 

crashed in firefox 1.5.0.7/20060906/winxp tb22993780
ntdll.dll + 0x1010 (0x7c901010)
DOMGCCallback  [mozilla/dom/src/base/nsJSEnvironment.cpp, line 2234]
js_ForceGC  [mozilla/js/src/jsgc.c, line 1515]

no crash bonecho/minefield
Flags: in-testsuite+ → in-testsuite?

    
    

    
  
Is there any reason to put this on the 1.8 branch? I'm working on getting bug 178993 on the branch, and that patch was on top of this change.

I have a version that doesn't require this change, just trying to decide with The Right Thing(TM) is.

    
    

    
  
some public bugs mention |persist| and |localstore| so delaying this looks like a privacy scandal

    
    

    
  
I think now that we have DOM storage we should layer localstore directly on it. dcamp, if you can get that working, I can write an importer for the existing data in localstore.rdf.
Assignee: benjamin → dcamp
Whiteboard: [sg:low] AT RISK has patches, needs review dbaron/bz/jst/peterv/sicking → [sg:low]

    
  
Target Milestone: mozilla1.9alpha1 → mozilla1.9alpha6

    
  
Flags: blocking1.9? → blocking1.9-
Whiteboard: [sg:low] → [sg:low][wanted-1.9]

    
    

    
  
(In reply to comment #51)
> I think now that we have DOM storage we should layer localstore directly on it.

does this mean the patches here are obsolete? if so, is there any justifiable use for the cookie api changes ("part 1" patch) which are currently in the tree, awaiting consumer code ("part 2")?

    
    

    
  
Yes, the patches are obsolete, and yes, the cookie APIs would not be needed. Do with them what you want...

    
    

    
  
(In reply to comment #53)
> Yes, the patches are obsolete, and yes, the cookie APIs would not be needed. Do
> with them what you want...

changes have been removed (bug 384990). should this bug be closed out, or left open for dom storage work?

    
    

    
  
This bug is still here.

    
    

    
  
Why is this not blocking 1.9? Unlimited, unclearable, unblockable, invisible "cookies" are bad. Look at the rumblings as people discover DOM globalStorage, and that actually has a defensible privacy story.
Flags: blocking1.9- → blocking1.9?

    
    

    
  
I suspect its not a blocker because its sg:low at this point.

I'm tempted to just break persist in remote XUL by default, but I think that remote XUL is something we want to kill in the medium to long term in favour of better HTML.  I'm not yet ready to have that battle, I think that's best timed for Moz2.

Right now the globalStorage stuff gets cleared when cookies get cleared, is tying xul persist to this, and the global cookie prefs (like domstorage also already does) sufficient?  I think its unlikely that anyone using this wouldn't also be using cookies, so anyone caring enough to blocklist sites will be covered without having to be aware of alternate forms of persist.  If this is sufficient, can we do this?  Doesn't seem massively bad, especially if we add a global (hidden) pref to disable this for people who really want only visible cookies.

    
    

    
  
Is the patch here *necessarily* obsolete?

    
  
Flags: blocking1.9? → blocking1.9+
Whiteboard: [sg:low][wanted-1.9] → [sg:low]

    
    

    
  
Hi, can you please update the target milestone for this bug?   Thanks.

    
  
Whiteboard: [sg:low] → [sg:low][dbaron-1.9:RsCe]

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Draft according to comment 57 (obsolete)
        — Splinter Review
      

    


  
Patch is tested with attachment 188491 [details] and attachment 104910 [details].

        Attachment #296167 -
        Flags: review?

    
    

    
  
Honza: thanks for that. I think instead of calling IsChromeURI you might want to check the document's principal, IsCapabilityEnabled "UniversalBrowserWrite". That would allow any trusted XUL document to use persistence.

After you're happy with the patch you should ask for review, probably from Jonas Sicking (jonas@sicking.cc).

    
    

    
  


  
Checking "UniversalBrowserRead" when applying and "UniversalBrowserWrite" when persisting. I am checking principal of the underlaying channel. If there is no channel or no principal then the result of my isCapabilityEnabled is FALSE. I'm not expert for nsWindow and therefor it might be too restrictive in some extreme cases.

        Attachment #296167 -
        Attachment is obsolete: true

        Attachment #296354 -
        Flags: review?(jonas)

        Attachment #296167 -
        Flags: review?

    
    

    
  
once upon a time m$ tried `lame super cookies' (hint super cookie, wmplayer, uuid)

this bug and its duplicates are quite to close a lame super cookie imho

please don't make Window Snyder make up stories in her blog like `we care about your privacy. this is sg:low. if you need privacy, fight for it'
Assignee: dcamp → honzab
Flags: wanted1.9+
Flags: blocking1.9-

    
    

    
  
Comment on attachment 296354 [details] [diff] [review]
Draft according to comment 57, ver2

You should call NodePrincipal() (lives on nsINode) rather than getting the principal from the channel.

Looks good otherwise.

        Attachment #296354 -
        Flags: review?(jonas) → review-

    
    

    
  

      
      
      
      

        Attached patch
          
          
        ver3 (obsolete)
        — Splinter Review
      

    


  
I am using document's NodePrincipal(). It is guarantied to be non-null so I omitted !null check. Other possible way is to check NodePrincipal of each node/element I want to write/read/restore attributes to/of (?).

        Attachment #296354 -
        Attachment is obsolete: true

        Attachment #310493 -
        Flags: review?(jonas)

    
    

    
  
Comment on attachment 310493 [details] [diff] [review]
ver3

>+nsXULDocument::IsCapabilityEnabled(const char* aCapabilityLabel)
>+{
>+    nsresult rv;
>+
>+    // NodePrincipal is guarantied to be non-null
>+    nsCOMPtr<nsIPrincipal> nodePrincipal = NodePrincipal();
>+
>+    PRBool ubwEnabled = PR_FALSE;
>+    rv = nodePrincipal->IsCapabilityEnabled(aCapabilityLabel, nsnull, &ubwEnabled);

Simply do
NodePrincipal()->IsCapabilityEnabled(...

> nsXULDocument::LoadScript(nsXULPrototypeScript* aScriptProto, PRBool* aBlock)
> {
>     // Load a transcluded script
>     nsresult rv;
> 
>-    PRBool isChromeDoc = IsChromeURI(mDocumentURI);
>-
>-    if (isChromeDoc && aScriptProto->mScriptObject.mObject) {
>+    if (aScriptProto->mScriptObject.mObject) {
>         rv = ExecuteScript(aScriptProto);
> 
>         // Ignore return value from execution, and don't block
>         *aBlock = PR_FALSE;
>         return NS_OK;
>     }
> 
>     // Try the XUL script cache, in case two XUL documents source the same
>     // .js file (e.g., strres.js from navigator.xul and utilityOverlay.xul).
>     // XXXbe the cache relies on aScriptProto's GC root!
>     PRBool useXULCache = nsXULPrototypeCache::GetInstance()->IsEnabled();
> 
>-    if (isChromeDoc && useXULCache) {
>+    if (useXULCache) {

Why these changes? Bad merge?

    
    

    
  

      
      
      
      

        Attached patch
          
          
        ver3 finalSplinter Review
      

    


  
Sorry for bad diff, my compare threes become different. Now using CVS diff.

        Attachment #310493 -
        Attachment is obsolete: true

        Attachment #310756 -
        Flags: review?(jonas)

        Attachment #310493 -
        Flags: review?(jonas)

    
    

    
  
Comment on attachment 310756 [details] [diff] [review]
ver3 final

Looks good.

        Attachment #310756 -
        Flags: superreview+

        Attachment #310756 -
        Flags: review?(jonas)

        Attachment #310756 -
        Flags: review+

        Attachment #310756 -
        Flags: approval1.9?

    
    

    
  
Comment on attachment 310756 [details] [diff] [review]
ver3 final

a+ schrep

        Attachment #310756 -
        Flags: approval1.9b5+

        Attachment #310756 -
        Flags: approval1.9?

        Attachment #310756 -
        Flags: approval1.9+

    
  
Status: NEW → ASSIGNED
Keywords: checkin-needed

    
    

    
  
Checking in content/xul/document/src/nsXULDocument.cpp;
/cvsroot/mozilla/content/xul/document/src/nsXULDocument.cpp,v  <--  nsXULDocument.cpp
new revision: 1.822; previous revision: 1.821
done
Checking in content/xul/document/src/nsXULDocument.h;
/cvsroot/mozilla/content/xul/document/src/nsXULDocument.h,v  <--  nsXULDocument.h
new revision: 1.205; previous revision: 1.204
done
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
Target Milestone: mozilla1.9alpha6 → mozilla1.9

    
    

    
  
Backed out since this is likely the cause of a reftest failure:

http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1207304616.1207306050.2695.gz#err0

That test uses a xul document with persistence, so this seems like the one.  :)  Probably the reftest should be fixed, rather than this bug?

Checking in content/xul/document/src/nsXULDocument.cpp;
/cvsroot/mozilla/content/xul/document/src/nsXULDocument.cpp,v  <--  nsXULDocument.cpp
new revision: 1.823; previous revision: 1.822
done
Checking in content/xul/document/src/nsXULDocument.h;
/cvsroot/mozilla/content/xul/document/src/nsXULDocument.h,v  <--  nsXULDocument.h
new revision: 1.206; previous revision: 1.205
done

Status: RESOLVED → REOPENED
Resolution: FIXED → ---

    
    

    
  
Backing this out did indeed clear the mac and windows failures (linux is still cycling as I type).  Given the simplicity of the patch and the clearly deliberate disabling of persist for xul content, I suspect the test should be neutered or changed, but I'll defer to the experts here.

Jonas, you reviewed the patch, bz, you wrote the test, thoughts?  :)

    
    

    
  
The test is explicitly testing that persistence works for a particular toolkit widget.  It's testing a bug originally reported against chrome (as you can see if you read the bug corresponding to the test name).  So the right thing to do here is probably to change that test to run against chrome, somehow.

    
    

    
  
That's what we have the chrome tests for, right?

http://developer-cluster.mozilla.org/en/docs/Chrome_tests

Honza: Think you'd be able to convert the failing test into a chrome test?

    
    

    
  
The current test is about testing persistence of the selectedIndex in a tab box. So, have a chrome (mochi) test checking its value after reload should be enough. I will create such a test.

    
    

    
  

      
      
      
      

        Attached patch
          
          
        changed test for bug 398289 (obsolete)
        — Splinter Review
      

    


  
Reftest changed to chrome test.

        Attachment #313683 -
        Flags: review?(jonas)

    
    

    
  
Comment on attachment 313683 [details] [diff] [review]
changed test for bug 398289

Excellent!

        Attachment #313683 -
        Flags: review?(jonas) → review+

    
  

        Attachment #313683 -
        Flags: approval1.9?

    
  
Keywords: checkin-needed

    
    

    
  
Comment on attachment 313683 [details] [diff] [review]
changed test for bug 398289

thanks for updating the tests!

a1.9+=damons

        Attachment #313683 -
        Flags: approval1.9? → approval1.9+

    
    

    
  
Does that new test fail if the patch for the relevant bug is backed out?  I distinctly recall that my initial test looked like that and didn't actually test the bug because the property was out of sync with the display....

    
    

    
  
RCS file: /cvsroot/mozilla/content/xul/content/test/398289-resource.xul,v
done
Checking in content/xul/content/test/398289-resource.xul;
/cvsroot/mozilla/content/xul/content/test/398289-resource.xul,v  <--  398289-resource.xul
initial revision: 1.1
done
Checking in content/xul/content/test/Makefile.in;
/cvsroot/mozilla/content/xul/content/test/Makefile.in,v  <--  Makefile.in
new revision: 1.4; previous revision: 1.3
done
RCS file: /cvsroot/mozilla/content/xul/content/test/test_bug398289.html,v
done
Checking in content/xul/content/test/test_bug398289.html;
/cvsroot/mozilla/content/xul/content/test/test_bug398289.html,v  <--  test_bug398289.html
initial revision: 1.1
done
Checking in content/xul/document/src/nsXULDocument.cpp;
/cvsroot/mozilla/content/xul/document/src/nsXULDocument.cpp,v  <--  nsXULDocument.cpp
new revision: 1.824; previous revision: 1.823
done
Checking in content/xul/document/src/nsXULDocument.h;
/cvsroot/mozilla/content/xul/document/src/nsXULDocument.h,v  <--  nsXULDocument.h
new revision: 1.207; previous revision: 1.206
done
Removing layout/reftests/bugs/398289-1-ref.html;
/cvsroot/mozilla/layout/reftests/bugs/398289-1-ref.html,v  <--  398289-1-ref.html
new revision: delete; previous revision: 1.3
done
Removing layout/reftests/bugs/398289-1.html;
/cvsroot/mozilla/layout/reftests/bugs/398289-1.html,v  <--  398289-1.html
new revision: delete; previous revision: 1.2
done
Removing layout/reftests/bugs/398289-resource.xul;
/cvsroot/mozilla/layout/reftests/bugs/398289-resource.xul,v  <--  398289-resource.xul
new revision: delete; previous revision: 1.1
done
Checking in layout/reftests/bugs/reftest.list;
/cvsroot/mozilla/layout/reftests/bugs/reftest.list,v  <--  reftest.list
new revision: 1.433; previous revision: 1.432
done
Status: REOPENED → RESOLVED
Closed: 15 years ago15 years ago
Keywords: checkin-needed
Resolution: --- → FIXED

    
    

    
  
I screwed up the log message on commit, so I filed bug 427819 to fix it.

    
    

    
  
I'd still like an answer to the question in comment 80.

    
    

    
  
(In reply to comment #80)
> Does that new test fail if the patch for the relevant bug is backed out?  I
> distinctly recall that my initial test looked like that and didn't actually
> test the bug because the property was out of sync with the display....
> 

When the patch for this bug is backed out the new (fixed) test will pass either. The patch for this bug only disallows for foreign xul and all html pages use of the persistent attributes. As I understand.

The test (original and the new fixed one too) verifies whether the persistent attribute works for selectedIndex of tabboxes.

    
    

    
  
Opps.. not patch for this bug for THAT bug. Yes, you are right, I didn't test. Will do that and report.

    
    

    
  
Note that test_bug398289.html (which was modified in this bug's checkin) is currently failing on Linux:

  * Failure Log:
http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1207682613.1207686773.29781.gz
  * File itself:
http://bonsai.mozilla.org//cvsblame.cgi?file=mozilla/content/xul/content/test/test_bug398289.html

Honza, is that what you're talking about in comment 85?

    
    

    
  
I backed this out because the test was failing:
http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1207682613.1207686773.29781.gz&fulltext=1

(Also, I think comment 80 should have been addressed before it was checked in.)
Status: RESOLVED → REOPENED
Resolution: FIXED → ---

    
    

    
  
My backout accidentally reverted the reftest.list change without re-adding the removed files, so I relanded that part. All that needs to be relanded are the new/changed files when the test failure is addressed.

    
    

    
  
So, the test when attachment 282959 [details] [diff] [review] is backed out (needed some merge) *DOES NOT FAIL*. The tab is switched but content of the windows is not. Thus, we need a chrome reftest or a different way of checking in the new pure chrome test.

Status: REOPENED → ASSIGNED

    
    

    
  
> The tab is switched but content of the windows is not.

Yep.  That's exactly what I recall seeing and why I made it a reftest...

    
    

    
  
Hmm.. this won't be that easy. I added by hacking of layout/tools/reftest/jar.mn the resource file for the test to be in the chrome of the test framework. I get the following error:

Security Error: Content at file:///D:/mozilla/layout/reftests/bugs/
398289-1.html may not load or link to chrome://reftest/content/bugs/398289-resou
rce.xul. 

The path is correct. File resides in _obj/dist/bin/chrome/reftest/content/bugs/. I am afraid we will need a chromereftest framework.


    
    

    
  
I'd say create a test that can be run manually to test your patch. File a bug on getting a chrome-ref-test framework (or expand the reftest framework to support chrome files). Stick your manual test into that bug.

That way we can for now know that your patch is correct. And later make sure it doesn't regress.

    
    

    
  
If I add the test html and ref html to a chrome (I hack the reftest chrome again) and I add to the test list line "== chrome://reftest/content/bugs/398289-1.html chrome://reftest/content/bugs/398289-1-ref.html" it almost works. With one exception. Bug 371075 added checking if the URL could be loaded by reftest framework. URLs are tested against the path to the test list (to the file URL) that doesn't allow load of any chrome.

I changed the test to check against the location of window of the test (chrome://reftest/content/reftest.xul) and then the framework works with chrome URLs in a list. But I am not sure we may change it this way, David, can you give an advise here please?

    
    

    
  
Comment on attachment 313683 [details] [diff] [review]
changed test for bug 398289

This test is not correct to check presence of bug 398289.

        Attachment #313683 -
        Attachment is obsolete: true

    
    

    
  

      
      
      
      

        Attached patch
          
          
        changed test for bug 398289, v2 (obsolete)
        — Splinter Review
      

    


  
This patch turns reftest for bug 398289 to a chrome-reftest. There is need to change the framework slightly. Not sure that is correct...

        Attachment #316791 -
        Flags: review?(jonas)

    
    

    
  
Comment on attachment 316791 [details] [diff] [review]
changed test for bug 398289, v2

I think david would be better for review of reftest changes.

        Attachment #316791 -
        Flags: review?(jonas) → review?(dbaron)

    
    

    
  
Could you explain the reftest.js changes?

Waldo might have some better ideas on how to this.  Seem like maybe we might have a way in the manifest to load the files with chrome privs rather than having to give them chrome: URLs.

    
    

    
  
Nothing really springs to mind; we really should make reftest create its own profile which we could customize to make the source tree accessible for chrome: tests.  It wouldn't be hard to do (I think there's a script in build/ to create profiles), but it would need to be done.

    
    

    
  
I created a script that creates new profile, adds privilege preferences to the pref file and runs the test list. Preferences are:
user_pref("capability.principal.codebaseTrusted.p0.granted", "UniversalXPConnect UniversalBrowserRead UniversalBrowserWrite UniversalPreferencesRead UniversalPreferencesWrite UniversalFileRead");
user_pref("capability.principal.codebaseTrusted.p0.id", "file://");
user_pref("capability.principal.codebaseTrusted.p0.subjectName", "");
user_pref("signed.applets.codebase_principal_support", true); 

This still doesn't help - xul iframe in our test has not got access granted. I get: 
"JavaScript error: chrome://global/content/bindings/dialog.xml, line 186: Permission denied to get property XPCComponents.classes"

The test perfectly works with my changes to the test framework. The reftest.js changes modifies the uri against we do the permission test. Before it were testing against URL of the test list file (maybe a real bug?), with my changes it test against the URL of the file test file.

    
    

    
  
(In reply to comment #99)
> This still doesn't help - xul iframe in our test has not got access granted. I
> get: 
> "JavaScript error: chrome://global/content/bindings/dialog.xml, line 186:
> Permission denied to get property XPCComponents.classes"

I googled this and came across the following Mochitest documentation: http://developer.mozilla.org/en/docs/Mochitest#How_can_I_get_around_the_error_.22Permission_denied_to_get_property_XPCComponents.classes.22.3F. So, I guess one would need to include that line of JS in each test file in order for this approach to work.

Interestingly enough, that documentation suggests adding a hack to Mochitest that would essentially do what your aforementioned patch has done for reftest.

    
    

    
  
Current progress: I modified my script to use the same approach as mochitest to access the source/test files from chrome. There is no need to modify preferences and actually no need to have a profile. However, I still have this feature. It works on windows, but it will take additional time to port it to Mac OS and I don't have a way to test this on linux (don't have a linux machine). This script still needs the change in reftest.js.

If you agree this approach is correct then let me know please. Otherwise my first patch is probably sufficient, at least because we need to get this in ASAP (the patch fixing this real bug hangs only on a failing test for completely different bug).

    
    

    
  
So personally I think it's ok to check in this patch without automated tests, as long as we have manual tests that can be used to verify the fix. We can add automated tests once we have chrome-reftests or reftests-with-custom-profile.

    
    

    
  
The problem is not that _this_ patch can't be tested, but that other existing regression tests no longer work with this patch.  So it's not verifying this fix that's worrisome, but preventing the other bugs from regressing...

    
  
Depends on: 430652

    
    

    
  
Comment on attachment 316791 [details] [diff] [review]
changed test for bug 398289, v2

see bug 430652

        Attachment #316791 -
        Attachment is obsolete: true

        Attachment #316791 -
        Flags: review?(dbaron)
Whiteboard: [sg:low][dbaron-1.9:RsCe] → [missed 1.9 checkin][sg:low][dbaron-1.9:RsCe]

    
    

    
  
Comment on attachment 310756 [details] [diff] [review]
ver3 final

Removing approval since this missed the 1.9 cutoff.

        Attachment #310756 -
        Flags: approval1.9b5+

    
  

        Attachment #310756 -
        Flags: approval1.9+
Flags: wanted1.8.1.x+
Flags: blocking1.9.0.1?
Flags: blocking1.8.1.16?

    
    

    
  
(In reply to comment #103)
> The problem is not that _this_ patch can't be tested, but that other existing
> regression tests no longer work with this patch.  So it's not verifying this
> fix that's worrisome, but preventing the other bugs from regressing...

This is on the branch nomination radar, but it's unclear if this issue has been resolved. Until it has, can we actually check this in? To get it on the branch, please nominate the patch for approval1.9.0.1
Flags: wanted1.9.0.x+
Flags: blocking1.9.1?
Flags: blocking1.9.0.1?
Flags: blocking1.9.0.1-

    
    

    
  
Attachment 310756 [details] [diff] is fix for this bug. The patch is stuck just because of test failure. The test is fixed in bug 430652 that waits for review for several weeks.

    
    

    
  
This is wanted on the 1.8 branch, but not really blocking -- we'll take it when the trunk fix lands. When landed on the 1.9.0.x branch please request 1.8 branch approval as well.
Flags: blocking1.8.1.17?

    
  
Component: XP Toolkit/Widgets: XUL → XUL
QA Contact: xptoolkit.xul → xptoolkit.widgets

    
    

    
  
Can we just rewrite that one existing test to be a mochitest instead of a reftest?

    
    

    
  
We should be able to, esp. now that I added a mochitest utility file to do drawWindow stuff and compare things...

    
    

    
  
(In reply to comment #110)
> We should be able to, esp. now that I added a mochitest utility file to do
> drawWindow stuff and compare things...

For info, I recently added a new (mochi)test to bug 398289.

    
    

    
  
so what's the problem for stopping the spyware?
Flags: blocking1.9.1? → wanted1.9.1+

    
    

    
  
Please land 'ver3 final'.
Keywords: checkin-needed

    
    

    
  
(In reply to comment #113)
> Please land 'ver3 final'.
It is 1.9.1 (mozilla-central) and 1.9 (CVS-trunk) applicable patch. It could not be landed on 1.8.1 branch.

    
    

    
  
http://hg.mozilla.org/mozilla-central/rev/8086757a77e1

So, I'm very confused from the above comments on whether this is in-testsuite+ or not... can somebody clarify things for me, please?
Keywords: checkin-needed

    
  
Status: ASSIGNED → RESOLVED
Closed: 15 years ago15 years ago
Resolution: --- → FIXED
Target Milestone: mozilla1.9 → mozilla1.9.1b2

    
  

        Attachment #310756 -
        Flags: approval1.9.0.4?

    
    

    
  
according to my tests this seems fixed in -central

        Attachment #310756 -
        Flags: approval1.9.0.4? → approval1.9.0.5?

    
    

    
  
Comment on attachment 310756 [details] [diff] [review]
ver3 final

Too late for 1.9.0.4, moving request

    
    

    
  
Comment on attachment 310756 [details] [diff] [review]
ver3 final

Approved for 1.9.0.5, a=dveditz for release-drivers

        Attachment #310756 -
        Flags: approval1.9.0.5? → approval1.9.0.5+

    
    

    
  
Landed on cvs trunk:

Checking in src/nsXULDocument.cpp;
/cvsroot/mozilla/content/xul/document/src/nsXULDocument.cpp,v  <--  nsXULDocument.cpp
new revision: 1.829; previous revision: 1.828
done
Checking in src/nsXULDocument.h;
/cvsroot/mozilla/content/xul/document/src/nsXULDocument.h,v  <--  nsXULDocument.h
new revision: 1.209; previous revision: 1.208
done
Keywords: fixed1.9.0.5

    
    

    
  
Verified for 1.9.0.5 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5pre) Gecko/2008112505 GranParadiso/3.0.5pre.
Keywords: fixed1.9.0.5verified1.9.0.5

    
  
Flags: wanted1.8.0.x+
Alias: CVE-2008-5505
Flags: blocking1.8.1.next+
Whiteboard: [missed 1.9 checkin][sg:low][dbaron-1.9:RsCe] → [sg:low][dbaron-1.9:RsCe]

    
    

    
  
The privilege check in ApplyPersistentAttributes makes the check in Persist futile; privileged content pages can persist until they're blue in the face but their persisted attribtes will never get applied. Was this intentional?

    
    

    
  
Daniel, you have set blocking1.8.1.next+ but according to Firefox 2 (1.8.1 branch) download page and other sources security support for it has been stopped. Do you really want me to make a 1.8.1 patch?

    
    

    
  
Honza, Firefox is not the only thing shipping off of 1.8.1.  Thunderbird, Seamonkey, and other applications are going to continue to use that branch.

So yes, it would be nice to have a 1.8.1 patch if possible.

    
    

    
  

      
      
      
      

        Attached patch
          
          
        ver3 for 1.8.1 branch (obsolete)
        — Splinter Review
      

    


  
Tested manually on 1.8.1 branch build with the "Example file" test case. I had to change NodePrincipal()->IsCapabilityChanged to nsIScriptSecurityManager->IsCapabilityChanged(). Please check it's correct, other parts of the patch didn't change, was just merged.

        Attachment #355838 -
        Flags: review?(jonas)

    
    

    
  
Comment on attachment 355838 [details] [diff] [review]
ver3 for 1.8.1 branch

>+PRBool
>+nsXULDocument::IsCapabilityEnabled(const char* aCapabilityLabel)
>+{
>+    nsresult rv;
>+    
>+    nsIScriptSecurityManager* secMan = nsContentUtils::GetSecurityManager();
>+    NS_ENSURE_TRUE(secMan, PR_FALSE);
>+
>+    PRBool enabled = PR_FALSE;
>+    rv = secMan->IsCapabilityEnabled(aCapabilityLabel, &enabled);
>+    if (NS_FAILED(rv))
>+        return PR_FALSE;
>+ 
>+    return enabled;
>+}

This doesn't look right. You need to make sure to use the principal of the document. This looks like it'll use the principal of whatever javascript happen to be running when we end up in this function.

        Attachment #355838 -
        Flags: review?(jonas) → review-

    
    

    
  
(In reply to comment #125)
> (From update of attachment 355838 [details] [diff] [review])
> This doesn't look right. You need to make sure to use the principal of the
> document. This looks like it'll use the principal of whatever javascript happen
> to be running when we end up in this function.

I thought it was wrong. However, using this code:

    nsIPrincipal* principal = GetPrincipal();
    rv = principal->IsCapabilityEnabled(aCapabilityLabel, nsnull, &enabled);

also doesn't look right to me. When the second parameter (actually a hashtable where values are stored) is null the capability is always false. So, it cannot be set to true by user or any other preference. I don't know where to take the annotation of the document, there is no example in lxr.

However, the patch as would be with the snippet above disallows attribute persistence (fixes the bug).

    
    

    
  


  
See comment #126.

        Attachment #355838 -
        Attachment is obsolete: true

        Attachment #357745 -
        Flags: review?(jonas)

    
    

    
  
> So, it cannot be set to true by user or any other preference. 

That's correct, so it's actually equivalent to an IsSystemPrincipal check at the moment.  The idea was that if we later create a way to associate expanded privileges with a principal (and not just a JSStackFrame), things here would Just Work.

    
    

    
  
Please land "ver3.1, for 1.8.1" on 1.8.1 branch.
Keywords: checkin-needed

    
  

        Attachment #357745 -
        Flags: approval1.8.1.next?

    
    

    
  
Comment on attachment 357745 [details] [diff] [review]
ver3.1, for 1.8.1

Approved for 1.8.1.21, a=dveditz for release-drivers. (add the fixed1.8.1.21 keyword when checked in).

        Attachment #357745 -
        Flags: approval1.8.1.next? → approval1.8.1.next+

    
    

    
  
Landed on CVS 1.8 branch:

Checking in nsXULDocument.cpp;
/cvsroot/mozilla/content/xul/document/src/nsXULDocument.cpp,v  <--  nsXULDocument.cpp
new revision: 1.664.2.32; previous revision: 1.664.2.31
done
Checking in nsXULDocument.h;
/cvsroot/mozilla/content/xul/document/src/nsXULDocument.h,v  <--  nsXULDocument.h
new revision: 1.171.8.6; previous revision: 1.171.8.5

    
  
Keywords: checkin-needed
Group: core-security

          You need to log in
          before you can comment on or make changes to this bug.