Closed Bug 307040 Opened 20 years ago Closed 20 years ago

window._content should be XPCNativeWrapper.

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: moz_bug_r_a4, Assigned: jst)

References

(
URL
)

Details

(Keywords: fixed1.8, Whiteboard: [sg:fix])

Attachments

(1 file)

Make the window._content getter native.
2.86 KB, patch
mrbkap
: review+
brendan
: superreview+
asa
: approval1.8b5+
Details | Diff | Splinter Review
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.11) Gecko/20050728 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20050904 Firefox/1.6a1 Accessing content by using window.content is secure. But, accessing content by using window._content is not secure. window.content is [object XPCNativeWrapper [object Window]]. window._content is [object Window]. Even though Deer Park no longer use window._content, the extensions have been using window._content. Thus, this bug causes potential vulnerability in the extensions. Reproducible: Always Steps to Reproduce: 1. Close JavaScript Console, if exists, to make sure opener is a browser window. 2. Open JavaScript Console from menu bar; [Tools] > [JavaScript Console]. 3. Evaluate the following code: d = top.opener.document; b = d.createElement("button"); b.setAttribute("oncommand", "alert('content: ' + window.content + '\\n_content: ' + window._content)"); b.setAttribute("label", "Click me"); d.getElementById("statusbar-display").appendChild(b); top.opener.focus(); 4. Click on the button added in the statusbar of the browser window that opened JavaScript Console. Then a popup that shows window.content and window._content will appear. Actual Results: content: [object XPCNativeWrapper [object Window]] _content: [object Window] Expected Results: content: [object XPCNativeWrapper [object Window]] _content: [object XPCNativeWrapper [object Window]]
Can we remove window._content?
Assignee: nobody → general
Component: Security → DOM
Product: Firefox → Core
QA Contact: firefox → ian
Version: unspecified → Trunk
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking1.9a1+
Flags: blocking1.8b5+
OS: Windows XP → All
Hardware: PC → All
Assignee: general → jst
Whiteboard: [sg:fix]
This makes the getter we have for window._content (which maps to window.content) be a native function rather than a compiled JS function. This way the getter doesn't carry any principals that make us think we're not called from chrome when chrome accesses window._content.
Attachment #195981 - Flags: superreview?(brendan)
Attachment #195981 - Flags: review?(mrbkap)
Comment on attachment 195981 [details] [diff] [review] Make the window._content getter native. r=mrbkap
Attachment #195981 - Flags: review?(mrbkap) → review+
Comment on attachment 195981 [details] [diff] [review] Make the window._content getter native. Only thought is JSPROP_READONLY, but that would make assignments have no effect, rather than throw an exception. If we like throwing better, the patch as-is is great. /be
Attachment #195981 - Flags: superreview?(brendan) → superreview+
I don't know if we like one better over the other, but I don't want to change the current behavour at this point. Ideally this property could be removed someday, even, but not now (though we could consider that for 1.9, thoughts?). Fixed on the trunk.
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Attachment #195981 - Flags: approval1.8b5?
Attachment #195981 - Flags: approval1.8b5? → approval1.8b5+
Fixed on the branch.
Keywords: fixed1.8
Flags: testcase+
Group: security
Flags: in-testsuite+ → in-testsuite?
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: