Closed Bug 304260 Opened 19 years ago Closed 3 years ago

Nothing documents that nsIClassInfo.flags == nsIClassInfo.DOM_OBJECT will trump implementing nsISecurityCheckedComponent

Categories

(Core :: Security: CAPS, defect, P5)

Product:
Core
Component:
Security: CAPS
Platform:
x86
Windows XP
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: timeless, Unassigned)

Details

Attachments

(1 file)

reorder classinfo after securitycheckedcomponent
12.30 KB, patch
Details | Diff | Splinter Review 
this is really messing me up, and I think it's probably wrong too.
Summary: Nothing documents that nsIClassInfo.flags == nsIClassInfo.DOM_CLASS will trump implementing nsISecurityCheckedComponent → Nothing documents that nsIClassInfo.flags == nsIClassInfo.DOM_OBJECT will trump implementing nsISecurityCheckedComponent

  

  


Assignee: dveditz → timeless
Status: NEW → ASSIGNED

        Attachment #192396 -
        Flags: superreview?(dveditz)

        Attachment #192396 -
        Flags: review?(caillon)

    
    

    
  
I'm not happy with the perf impact of QI to nsISecurityCheckedComponent for every security check on everything.  In particular, for Elements that will be VERY painful....

  

  



    
    

    
  
bz: well, what alternatives are you offering?

should something be responsible for caching that information?

this stuff causes real pain for js objects that need to act like dom objects but want to be able to have their own control over how security behaves (which doesn't seem unreasonable).

  

  



    
    

    
  
If I had a counterproposal, I'd offer it.  All I can tell you is to expect a 3-5% hit on Tdhtml from this change if you land it as-is.

Perhaps the right thing is to revisit our use of classinfo for security checks?  Or revisit the use of nsISecurityCheckedComponent?  Or some other rationalization of our over-complicated security architecture?

  

  



    
    

    
  
How about a classinfo flag to indicate that the class implements nsISecurityCheckedComponent?

  

  


QA Contact: caps

        Attachment #192396 -
        Flags: superreview?(dveditz)

    
  
QA Whiteboard: qa-not-actionable

        Attachment #192396 -
        Flags: review?(caillon)

    
    

    
  
The bug assignee didn't login in Bugzilla in the last 7 months.

:ckerschb, could you have a look please?

For more information, please visit auto_nag documentation.



  

  


Assignee: timeless → nobody
Status: ASSIGNED → NEW
Flags: needinfo?(ckerschb)
Severity: major → S4
Flags: needinfo?(ckerschb)
Priority: -- → P5

    
    

    
  
None of the code this bug is about exists anymore.  In particular, there is no nsIClassInfo::DOM_OBJECT thing, there is no nsISecurityCheckedComponent, and there is no property-access checking in the script security manager.



  

  


Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WORKSFORME

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: