Closed
Bug 306288
Opened 20 years ago
Closed 9 years ago
Security UI callbacks for embedders have no useful context information
Categories
(Core :: Security: PSM, defect)
Core
Security: PSM
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: sfraser_bugs, Unassigned)
Details
(Whiteboard: [kerh-ehz])
For an embedder implementing nsICertificateDialogs, nsIBadCertListener or
nsISecurityWarningDialogs, there's no way to get at the originating nsIDOMWindow
from the various callback methods. This is a serious security issue, because the
emedder cannot preset UI to the user that indicates where the request is coming
from.
For our other dialogs (via nsIPromptService) we are provided an nsIDOMWindow.
NSS/PSM needs to do the same.
The provided nsIInterfaceRequestor* ctx is not useful; it's only queryable to an
nsIPrompt.
|
Reporter | |
Updated•20 years ago
|
OS: MacOS X → All
Hardware: Macintosh → All
|
||
Comment 1•20 years ago
|
||
in:
http://lxr.mozilla.org/seamonkey/source/security/manager/pki/src/nsNSSDialogs.cpp
we seam to be doing something like:
nsCOMPtr<nsIDOMWindowInternal> parent = do_GetInterface(ctx);
Is this not working for you?
|
|
Reporter | |
Comment 2•20 years ago
|
||
(In reply to comment #1)
> in:
> http://lxr.mozilla.org/seamonkey/source/security/manager/pki/src/nsNSSDialogs.cpp
>
> we seam to be doing something like:
> nsCOMPtr<nsIDOMWindowInternal> parent = do_GetInterface(ctx);
>
> Is this not working for you?
I just debugged through this in DeerPark. |parent| there in
nsNSSDialogs::ConfirmDownloadCACert() is a null pointer (note that the code
doesn't check it).
|
|
||
Comment 3•20 years ago
|
||
Very odd. Tracing back a bit on the stack, don't you see a new'ed PipUIContext
on either:
http://lxr.mozilla.org/seamonkey/source/security/manager/ssl/src/nsNSSComponent.cpp#2428
http://lxr.mozilla.org/seamonkey/source/security/manager/ssl/src/nsNSSCertificateDB.cpp#1029
In any case, your right... this object doesn't really get you to where you need
to be.
|
|
Reporter | |
Comment 4•20 years ago
|
||
Yeah, PipUIContext is a waste of space.
|
||
Comment 5•20 years ago
|
||
Can we clear the security-sensitive flag? What are we protecting here?
|
|
Reporter | |
Comment 7•20 years ago
|
||
Bug 277587 may have helped.
|
||
Comment 8•20 years ago
|
||
(In reply to comment #7)
> Bug 277587 may have helped.
>
That fixed it for the interface requestor passed to nsISecurityWarningDialogs methods; all others still have the problem.
|
||
Updated•20 years ago
|
Whiteboard: [kerh-ehz]
|
|
||
Updated•19 years ago
|
Assignee: kengert → nobody
|
||
Updated•18 years ago
|
QA Contact: psm
|
||
Comment 9•9 years ago
|
||
This doesn't seem to be relevant anymore.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•