Closed Bug 306398 Opened 19 years ago Closed 1 year ago

Security capabilities strongly tied to JS

Tracking

()

Status:

RESOLVED WORKSFORME

People

(Reporter: bzbarsky, Assigned: dveditz)

References

Details

Boris Zbarsky [:bzbarsky]

Reporter

Description

•

19 years ago

Capabilities cannot be enabled on a per-principal basis for non-system principals. That is, for a non-system principal, we can only enable a capability for a (principal, JSStackFrame) pair, not for the principal itself. Quite apart from the JS dependency this introduces into the security manager (and which may not be a huge issue if all our untrusted script will always be JS), this means that it's impossible to request a capability, or to usefully check for it, outside the context of executing JS. That prevents a sensible fix for bug 306397. See also discussion in bug 299518.

Phil Ringnalda (:philor)

Updated

•

16 years ago

QA Contact: caps

BMO Automation

Updated

•

2 years ago

Severity: normal → S3

Daniel Veditz [:dveditz]

Assignee

Comment 1

•

1 year ago

capabilities are gone

Status: NEW → RESOLVED

Closed: 1 year ago

Resolution: --- → WORKSFORME

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Security capabilities strongly tied to JS

Categories

(Core :: Security: CAPS, defect)

Tracking

()

People

(Reporter: bzbarsky, Assigned: dveditz)

References

Details

Crash Data

Security

(public)

User Story

Description

Updated

Updated

Comment 1