Open Bug 319313 Opened 19 years ago Updated 2 years ago

Need to grab the least secure security info when using document.write on documents with mixed content security

Categories

(Core :: DOM: Core & HTML, defect, P5)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect

Tracking

()

People

(Reporter: peterv, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: sec-want, Whiteboard: [sg:want P3]) 

Bug 312363 fixed a regression caused by the fix for bug 298064. However, the problem that we tried to solve with bug 298064 is still not solved. Here's the problem as jst explained it to me:

<jst_>	ok, this'll make more sense if we flip this sample around...
<jst_>	say you have a bank site loaded from http, i.e. *not* secured
<jst_>	i.e. before you log in or whatever
<jst_>	say this site has an iframe loaded from https, so the iframe is secure
<jst_>	both the documents are from the same domain
<jst_>	now
<jst_>	say there's code in the iframe to open a new window and document.write() into it
<jst_>	if the bank site (i.e. the outermost document) calls a method in its iframe that ends up opening the window and document.writing into it
<peterv>	ah, right
<jst_>	then the code as patched (with your change)...
<jst_>	would end up seeing the caller as the iframe code
<jst_>	and the new window would be secure
<jst_>	even if the content that we wrote out came from an insecure page
<peterv>	right
<jst_>	now today, w/o your changes
<jst_>	we have the same problem if you flip that around
<peterv>	heh, I was about to say "there's no good answer though"
<jst_>	though not as obviously... since the outermost page wouldn't be "secure", it'd be "mixed"
<jst_>	but you could construct the exact opposite if you used new windows etc
<jst_>	so this is hard
<jst_>	there *is* a right answer
<jst_>	but it's non-trivial
<peterv>	ah, what's the right answer?
<jst_>	the right answer would be to follow the call chain and find the code with the least secure security info and use that
<peterv>	hmmm
<jst_>	but we've got no APIs to do that right
<jst_>	so we'd need to expose security info with a sane API to the callers here
<peterv>	ah, right
<peterv>	should this be in a bug?
<jst_>	yes, probably :)
<jst_>	wanna cut n' paste this conversation into a bug?
<peterv>	'k
<jst_>	and mark it security sensitive, of course
It sounds to me like this bug only causes broken sites to appear secure when they're not, rather than allowing attackers to do things, so marking [sg:low] to be consistent with other similar bugs.
Blocks: lockicon
Whiteboard: [sg:low]
Summary: Need to grab the least secure security info when using document.write on documents with "mixed" security → Need to grab the least secure security info when using document.write on documents with mixed content security
Group: core-security
Whiteboard: [sg:low] → [sg:want P3]
Assignee: general → nobody
QA Contact: ian → general
https://bugzilla.mozilla.org/show_bug.cgi?id=1472046

Move all DOM bugs that haven’t been updated in more than 3 years and has no one currently assigned to P5.

If you have questions, please contact :mdaly.
Priority: -- → P5
Component: DOM → DOM: Core & HTML
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.