Closed Bug 332182 Opened 19 years ago Closed 18 years ago

[FIX]Consider making about:blank use the parent principal

Categories

(Core :: DOM: Core & HTML, defect, P1)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9alpha1

People

(Reporter: bzbarsky, Assigned: bzbarsky)

References

Details

(Keywords: dev-doc-complete, testcase, Whiteboard: [sg:moderate] XSS against sites that put interesting data in about:blank documents)

Attachments

(4 files, 15 obsolete files)

Added a few more tests that the first patch failed
7.33 KB, application/zip
Details
Same as diff -w
49.05 KB, patch
Details | Diff | Splinter Review
Updated to jst's comments
52.75 KB, patch
mrbkap
: review+
Details | Diff | Splinter Review
Sorta-port into JS of that jssh harness
4.31 KB, text/plain
Details
I think we should give about:blank the "parent" principal just like we do for javascript: and data: URIs. This would change the behavior of the following cases: 1) about:blank in a subframe would get the principal of the parent document 2) Clicking on a link to about:blank from document A would give the resulting document the principal of document A. 3) window.open("about:blank") calls once the URI loads. I also think we should make window.open calls in general munge the principal of the opened window _before_ starting the URI load in the case when the opened window has about:blank in it to make that principal be the subject principal. The net result, if I read our code correctly, is that we should be able to remove the about:blank checks in nsScriptSecurityManager::CheckSameOriginPrincipalInternal, nsPrincipal::Subsumes, nsJSThunk::EvaluateScript. The idea is that if I have a subframe that's about:blank and that I fill via DOM manipulation, other sites should NOT be able to access that DOM. Right now, if they get access to that window, they can access the DOM, as far as I can tell. Anyone see any obvious problems? Or know of obvious things to test in a build with this change?
This is a great idea. Even Mozilla Classic didn't get this right -- see http://lxr.mozilla.org/classic/source/lib/libmocha/lm_taint.c#1192. The early access stuff there might shed light on hard cases (or it might be obsolete, from Netscape 4 signed script days). It suggests multiple principals might be allowed early access to about:blank or similar loaded in a new window or heretofore empty frame-in-frameset. /be
Whiteboard: [sg:moderate] XSS against sites that put interesting data in about:blank documents
*** Bug 313070 has been marked as a duplicate of this bug. ***
> I think we should give about:blank the "parent" principal > just like we do for javascript: and data: URIs. Hurrah! I've been grousing about this for years on comp.lang.javascript and was just about to enter a report - fortunately, it means I've got a test case ready to go. > This would change the behavior of the following cases: > 2) Clicking on a link to about:blank from document A would > give the resulting document the principal of document A. Why doesn't it make sense for the new about:blank to get the principal of the parent document or opener? > The idea is that if I have a subframe that's about:blank > and that I fill via DOM manipulation, other sites should > NOT be able to access that DOM. Right now, if they get > access to that window, they can access the DOM, as far as > I can tell. > Anyone see any obvious problems? Or know of obvious > things to test in a build with this change? Here's why I'd like this. I want to be able to submit my form to an iframe and then be able to process it myself (via <iframe name=myframe onload="...">). For example, there is certain info in the form request that can otherwise be difficult to get to reasonably (such as the mouse position on an image click). So my form's action will be "about:blank" and the resultant url will be about:blank?field1=val1&field2=val2... (This type of URI works fine for me with Greasmonkey). The attachment has a form (with one hidden field) and an iframe. Each time the button is pressed, the form is submitted to the iframe, and it will show Loaded followed by the location. Only right now, if there's a ? after about:blank, it gets a security error: uncaught exception: Permission denied to get property Location.href Csaba Gabor from Vienna
Actually, about:blank and about:blank?gunk are different as far as security is concerned.... We could consider doing something like this for the latter, but it would take a lot more thought and care to get right. So if you care about that, please file a separate bug and make it dependent on this one. Oh, and there's no need to "sign" your bug comments -- it's already clear who's making the comment.
Need to sort out what the deal is with the various people who load about:blank in an attempt to "clear the decks" security-wise, since that will no longer work. :(
Blocks: 332238
Testcases to make sure not to break: https://bugzilla.mozilla.org/attachment.cgi?id=226589 Clicking a link in a gmail message (see bug 342108) Whatever I end up attaching to this bug. https://bugzilla.mozilla.org/attachment.cgi?id=199252 http://www.squarefree.com/jsenv/
Attached file Basic window-opening testcase (obsolete) —
Attachment #216945 - Attachment is obsolete: true
Attached file Same thing with a timeout (obsolete) —
Attached file With timeout and explicit load (obsolete) —
Attached file Without timeout, with explicit load (obsolete) —
Attachment #226692 - Attachment is obsolete: true
Attachment #226693 - Attachment is obsolete: true
Attachment #226694 - Attachment is obsolete: true
Attached file Basic timeout (obsolete) —
Attached file Timeout with explicit load (obsolete) —
Keywords: testcase
Attached file Testing a frameset (obsolete) —
Blocks: 64539
Depends on: 348272
I have a fix. Testing now.
Assignee: general → bzbarsky
Priority: -- → P1
Summary: Consider making about:blank use the parent principal → [FIX]Consider making about:blank use the parent principal
Target Milestone: --- → mozilla1.9alpha
Attached patch This passes all my tests (obsolete) — Splinter Review
Basic changes: 1) Change the handling of mOpenerScriptPrincipal a tad -- set that principal on whatever document is in the window we end up opening when the open call returns, and use that principal when creating a content viewer due to there not being one around at all. I could kill off mOpenerScriptPrincipal completely if we're ok with always forcing document creation in the cases when SetOpenerScriptPrincipal is called. I'm somewhat tempted to do that, but would like feedback. 2) Make subframe about:blank loads inherit the principal from the parent, but NOT from the previous document in the same frame (unlike javascript: and data:). 3) Keep track of the "initial" documents in windows so we only special-case those for security purposes. 4) Remove about:blank special-casing in WouldReuseInnerWindow, nsPrincipal, and nsScriptSecurityManager.
Attachment #233260 - Flags: superreview?(jst)
Attachment #233260 - Flags: review?(mrbkap)
Attached patch With a comment correction (obsolete) — Splinter Review
Attachment #233260 - Attachment is obsolete: true
Attachment #233261 - Flags: superreview?(jst)
Attachment #233261 - Flags: review?(mrbkap)
Attachment #233260 - Flags: superreview?(jst)
Attachment #233260 - Flags: review?(mrbkap)
Blocks: test-suites
Blocks: 346404
Attached file Tests (obsolete) —
The tests need a Firefox (not any other Gecko app) build with jssh. See http://wiki.mozilla.org/SoftwareTesting:Tools:TestRunnerPython for instructions. davel, I made some changes to the test harness. Of particular note, I changed the TextTestRunner() constructor call to use stdout so it interleaves properly with the print() statements elsewhere in the test in the face of output buffering (e.g. when redirecting to a file) and added the loop to do multiple pref values. As a result of the loop, we don't stop at the first failure but keep trying other pref combinations instead; we could change that, but I think that's acceptable behavior for what we want here.
Attachment #226681 - Attachment is obsolete: true
Attachment #226695 - Attachment is obsolete: true
Attachment #226696 - Attachment is obsolete: true
Attachment #226697 - Attachment is obsolete: true
Attachment #226728 - Attachment is obsolete: true
Attachment #233261 - Attachment is obsolete: true
Attachment #233265 - Flags: superreview?(jst)
Attachment #233265 - Flags: review?(mrbkap)
Attachment #233261 - Flags: superreview?(jst)
Attachment #233261 - Flags: review?(mrbkap)
Comment on attachment 233265 [details] [diff] [review] With some tweaks to nsJSProtocolHandler too I mentioned to bz on IRC that the JS protocol handler changes look like they'll regress bug 302618.
Comment on attachment 233265 [details] [diff] [review] With some tweaks to nsJSProtocolHandler too Yeah, need to sort out how to not regress that.
Attachment #233265 - Flags: superreview?(jst)
Attachment #233265 - Flags: review?(mrbkap)
Attachment #233262 - Attachment is obsolete: true
Attachment #233265 - Attachment is obsolete: true
Attached patch Updated patch (obsolete) — Splinter Review
This patch passes the updated tests and also doesn't regress bug 302618. Changes, in addition to the ones listed in comment 16: 5) Don't use INTERNAL_LOAD_FLAGS_INHERIT_OWNER in nsDocShell::Reload. We really just want to use our existing principal; if we have none we do NOT want to inherit from a parent document. 6) Make GetInheritedPrincipal have two modes -- one for use for loads of javascript: and data: and one for use from CreateAboutBlankContentViewer. Do not call GetInheritedPrincipal for about:blank anymore -- subframe loads have the right owner anyway, and for random nsIWebNavigation callers we don't know what principal they want so err on the secure side. 7) When retargeting the load, don't pass along the INTERNAL_LOAD_FLAGS_INHERIT_OWNER (that's just a long-standing bug). 8) When getting the inherited principal for a javascript: or data: load, try to at least create an about:blank content viewer if all else fails. Note that this can also pick up the opener principal as needed. This change refixes bug 302618 9) Move the call to SetOpenerScriptPrincipal to much earlier in the window-open sequence. Do it for non-JS opens as well as JS ones; use the opener window's principal for the former. 10) Don't use object principals for javascript: URIs that have no owner. Just use the null principal. Callers should pass in owners, dammit! 11) Mark HTML documents that get OpenCommon() called on them as no longer initial documents. 12) Remove the code in ScriptWriteCommon() that clobbered the principal with the caller's principal. At this point, being able to write to a document means you're either same-origin or have UniversalWhatever bits. If we want to keep the principal-clobbering behavior for the latter case, let me know and I'll see how to work it into the current setup.
Attachment #233338 - Attachment is obsolete: true
Attachment #233342 - Flags: superreview?(jst)
Attachment #233342 - Flags: review?(mrbkap)
Attached patch Same as diff -wSplinter Review
The nsGlobalWindow changes are easier to review here.
Attachment #233338 - Attachment is obsolete: false
(In reply to comment #23) > 6) ... have the right owner anyway, and for random nsIWebNavigation callers we > don't know what principal they want so err on the secure side. Is there a bug on file for the random nsIWebNavigation callers not passing the right (or any) principal? Maybe it's on file as bug 293363. > 7) When retargeting the load, don't pass along the > INTERNAL_LOAD_FLAGS_INHERIT_OWNER (that's just a long-standing bug). Thanks for digging into this old code. It crawls due to bugs standing on it for too long ;-). > 9) Move the call to SetOpenerScriptPrincipal to much earlier in the > window-open sequence. Do it for non-JS opens as well as JS ones; use the > opener window's principal for the former. Do you mean the subject principal of the calling script, or the object principal of the window that's the base object of the "open" reference, e.g., w in w.open(u)? It may be the same in most cases, since open is not allAccess (please confirm), so a subject p that can call w.open(u) implies that w has object principal p. But with elevated privileges, w could have q, and we would want any pseudo-URI u (javascript:, etc.) to load in w with principal p, not q. > 10) Don't use object principals for javascript: URIs that have no owner. Just > use the null principal. Callers should pass in owners, dammit! Amen. This may not be covered by bug 293363. > 11) Mark HTML documents that get OpenCommon() called on them as no longer > initial documents. Can you remind me of why this crazy property is needed to annotate the initial doc? mrbkap mentioned it yesterday, I boggled, but didn't retain the reason. > 12) Remove the code in ScriptWriteCommon() that clobbered the principal with > the caller's principal. At this point, being able to write to a document > means you're either same-origin or have UniversalWhatever bits. If we want > to keep the principal-clobbering behavior for the latter case, let me know > and I'll see how to work it into the current setup. This is the p, not q, case I sketched above. We need the subject principals to taint the created document. We shouldn't assume that the last document's object principals are the same. /be
> Is there a bug on file for the random nsIWebNavigation callers Not really. Part of the problem is that they _can't_ pass in a principal -- nsIWebNavigation::loadURI doesn't have an arg for it. I suppose bug 293363 can cover this... > Do you mean the subject principal of the calling script, or the object > principal of the window that's the base object of the "open" reference The former, then fall back to the latter if the former returns null (no script on stack, or explicit null jscontext pushed, as happens with link clicks and form submits). > Can you remind me of why this crazy property is needed This property is used in two places: * A Boris-is-paranoid check in SetOpenerScriptPrincipal. If the document in the window is not an "initial" document when this is called, we just bail out instead of mutating its principal. I don't expect this to actually happen barring buggy window providers, but I figured it was worth the extra safety-check. * In WouldReuseInnerWindow we only want to reuse if the previous document has this property. I'm really nor sure how to get around this -- we need that constraint. > We need the subject principals to taint the created document. Taint, maybe (reset to the meet of the two). Clobber, no. Our behavior without my patch is "if the document URI is about:blank, clobber the principals, otherwise do nothing". This is patently wrong in the new world where about:blank has sane principals, so I just made us consistently do what we did if you called document.open() on a document that wasn't about:blank. I do agree it would make sense to reset to the meet of the principals on stack and the document principal in this case; I'd be happy to file a followup bug on doing that if you want.
(In reply to comment #26) > Not really. Part of the problem is that they _can't_ pass in a principal -- > nsIWebNavigation::loadURI doesn't have an arg for it. I suppose bug 293363 can > cover this... Right. > > Do you mean the subject principal of the calling script, or the object > > principal of the window that's the base object of the "open" reference > > The former, then fall back to the latter if the former returns null (no script > on stack, or explicit null jscontext pushed, as happens with link clicks and > form submits). Ok, that makes sense -- the null context means that the user is making a load gesture that should speak-for the loaded doc. > * In WouldReuseInnerWindow we only want to reuse if the previous document has > this property. I'm really nor sure how to get around this -- we need that > constraint. I understand this case. I wonder whether we couldn't, some fine day, avoid overloading about:blank by creating windows without content, and use the lack of content loaded in the window to distinguish this case. Then there's no hazard of inheriting the wrong principal or clobbering the right one in this case. > > We need the subject principals to taint the created document. > > Taint, maybe (reset to the meet of the two). Clobber, no. Our behavior > without my patch is "if the document URI is about:blank, clobber the > principals, otherwise do nothing". Is ScriptWriteCommon another observation point that faces ambiguity between overwriting (document.open) and self-modifying (document.write from a script tag)? Overwriting should clobber the principal. > This is patently wrong in the new world > where about:blank has sane principals, so I just made us consistently do what > we did if you called document.open() on a document that wasn't about:blank. Which is to assume that the writing script's principal is the same as the principal of the document being overwritten? That seems wrong in the elevated privileges case. > I do agree it would make sense to reset to the meet of the principals on stack > and the document principal in this case; I'd be happy to file a followup bug on > doing that if you want. The overwriting case should clobber principal, not compute a mixture, unless you know of an exploit based on data from the old doc (the one being overwritten) remaining in the new one, or otherwise mixing. But any such information leak would be a long-standing bug in the same-origin model, and I know of no such bug. So I think the problem is that we haven't distinguished overwriting from self-modifying. /be
> and use the lack of content loaded in the window to distinguish this case The problem is that various people (like the Firefox UI's tab-creation code) access window.document, which automatically creates a document in the window. I'm basically using the initialDocument flag to flag documents that weren't "really loaded". > Overwriting should clobber the principal. That could be done in OpenCommon() (at the point where we actually blow away the old document), and maybe we should do it (so the code that _used_ to own the document can't access the content we're putting into it). But is that different from replacing the documentElement via DOM manipulation, conceptually? If so, how? I really don't think we should clobber the principal for replaceChild(documentElement).... No matter what, ScriptWriteCommon is the wrong place for it. That said, how should we treat a document.write() from origin A in to a document of origin B while the latter is loading (so that it's not clobbered, but the data is just inserted into the parse stream)? And again, how is this different from DOM manipulation? > Which is to assume that the writing script's principal is the same Yeah, basically. > The overwriting case should clobber principal, not compute a mixture I can buy this if we don't preserve the inner window in this case, but again see the above questions. Again, I'd prefer to do that in a followup bug.
(In reply to comment #28) > > and use the lack of content loaded in the window to distinguish this case > > The problem is that various people (like the Firefox UI's tab-creation code) > access window.document, which automatically creates a document in the window. > I'm basically using the initialDocument flag to flag documents that weren't > "really loaded". Sounds like this is "as good as it gets", then. > > Overwriting should clobber the principal. > > That could be done in OpenCommon() (at the point where we actually blow away > the old document), and maybe we should do it (so the code that _used_ to own > the document can't access the content we're putting into it). Yes, if the principals differ. This seems like another case where, under same origin and without allAccess for document.open.call, some extension of the default security model must be in effect for the principals to differ, e.g., enablePrivilege has been called -- check? Still seems worth getting the trust label calculus right, not mistaking current- or default-model correlation for causality. > But is that > different from replacing the documentElement via DOM manipulation, > conceptually? I'm the DOM level 0 perpetrator, and document.open replaces the contents of a window, so it's analogous to loading the window via location.href = ... or a targeted window.open. This case is clear: clobber. For DOM level N, I'd like to appeal to the w3c standards, but I bet they say bupkis about security models and access control. Conceptually, the two cases could differ only if there is a finer granularity of trust containment than the window (frame, iframe) object. But I do not believe there is any such smaller container, so I would be content if these two levels of DOM clobbered. > If so, how? I really don't think we should clobber the > principal for replaceChild(documentElement).... Why no? Just looking for more info, not doubting (except based on trust label pigeon-hole reasoning above). > No matter what, > ScriptWriteCommon is the wrong place for it. Agreed. Followup bug for sure. > That said, how should we treat a document.write() from origin A in to a > document of origin B while the latter is loading (so that it's not clobbered, > but the data is just inserted into the parse stream)? That's a same-origin violation unless you suppose that A has enabled privilege. If it has, then we need new policy. I suspect the Netscape 4 code would clobber B's principal with A's. I do not remember whether Netscape 3 would compute the meet of A and B -- it might have, it had machinery to do that. > And again, how is this > different from DOM manipulation? It's not, in my book. > > The overwriting case should clobber principal, not compute a mixture > > I can buy this if we don't preserve the inner window in this case, but again > see the above questions. Again, I'd prefer to do that in a followup bug. Sure, and double-check on new inner window being needed. /be
> Why no? Because why clobber for the documentElement but not other elements? What about scripts included via PI (if we ever support that), which would be outside the documentElement? And so forth. In addition to which, none of these cases clear the window scope, unlike document.open. This last seems like a strong argument for having document.open clobber the principal, for what it's worth. And guess what? We do! It's just a little better hidden, so I didn't see it at first. ;) See http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/content/html/document/src/nsHTMLDocument.cpp&rev=3.693&mark=1957-1958,1966,1968-1970#1956 and http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/content/html/document/src/nsHTMLDocument.cpp&rev=3.693&mark=2001,2007-2009#1997 So things are already more or less OK here, except we clobber even when preserving the inner window. This can lead to exploits. For example: 1) Evilsite creates a blank document (so has "initialDocument" flag set), sets some properties on the window (getters, setters, whatever). 2) Goodsite with privileges is tricked into document.writing to this document. 3) The properties on that window now have goodsite's principal. So I feel that whenever we'd preserve the inner window we should clobber with the meet of current and caller, not with the caller, to protect the caller. Alternately, we should not preserve the inner window on document.open if the caller and current are not sameOrigin. As in, if that happens, remove the "initialDocument" flag before calling SetNewWindow. Either solution is secure; which do you prefer? > That's a same-origin violation unless you suppose that A has enabled > privilege. Sure. So make that assumption as needed. > If it has, then we need new policy. Agreed. Wiki, right?
(In reply to comment #30) > This last seems like a strong argument for having document.open clobber the > principal, for what it's worth. And guess what? We do! It's just a little > better hidden, so I didn't see it at first. ;) Whew. Somehow (I wish) it should all be easier to verify by inspection. > So I feel that whenever we'd preserve the inner window we should clobber with > the meet of current and caller, not with the caller, to protect the caller. > Alternately, we should not preserve the inner window on document.open if the > caller and current are not sameOrigin. As in, if that happens, remove the > "initialDocument" flag before calling SetNewWindow. Objective is not to use meet-of-principals just because we can (or could -- no mechanism yet, let alone policy). The right thing, I believe, is to clobber and that means a new inner window. But we don't want to break the case where props are preset on a brand new window. > Either solution is secure; which do you prefer? The backward compatible one ;-). We will get to use meet (or join, IIRC the literature uses join and of course they are duals) as we evolve toward better security models and information flow tracking (in my opinion). But for now we really ought to avoid meets, esp. when fixing existing use-cases to be secure. > > If it has, then we need new policy. > > Agreed. Wiki, right? Sure. Your point about documentElement replacement not being the same as document.open is good, but I don't believe any browser is ready to mix trust labels within a window. /be
Of course, we can use null principals as the meet of any two codebase principals, but that's not a useful greatest lower bound. It's only greatest in our current world because we lack mechanism to do better. /be
The only difference from the previous patch is that I added the following in nsHTMLDocument::OpenCommon right before calling SetNewWindow: if (!callerPrincipal || NS_FAILED(nsContentUtils::GetSecurityManager()-> CheckSameOriginPrincipal(callerPrincipal, NodePrincipal()))) { UnsetProperty(nsGkAtoms::initialDocumentInWindow); }
Attachment #233342 - Attachment is obsolete: true
Attachment #233524 - Flags: superreview?(jst)
Attachment #233524 - Flags: review?(mrbkap)
Attachment #233342 - Flags: superreview?(jst)
Attachment #233342 - Flags: review?(mrbkap)
Comment on attachment 233524 [details] [diff] [review] Clobber the inner on cross-domain document.open - In nsPrincipal::Equals(): - nsIURI *origin = mDomain ? mDomain : mCodebase; - nsCOMPtr<nsIURI> otherOrigin; - aOther->GetDomain(getter_AddRefs(otherOrigin)); - if (!otherOrigin) { - aOther->GetURI(getter_AddRefs(otherOrigin)); - } - - return nsScriptSecurityManager::GetScriptSecurityManager() - ->SecurityCompareURIs(origin, otherOrigin, aResult); + *aResult = + NS_SUCCEEDED(nsScriptSecurityManager::GetScriptSecurityManager() + ->CheckSameOriginPrincipal(this, aOther)); + return NS_OK; } As a side note, it seems odd to do the principal equality checks this way. It'd make more sense if the script security manager would ask a principal whether it's equal to another rather than a principal asking the security manager whether the principal itself is equal (with some definition of equal) to another principal. Would be more logical to have this pricipal comparison logic live in the principal code rather than in the script security manager code. Either way, this isn't introduced here per se, so leaving it as is, or filing a separate bug on this is fine with me... - In nsPrincipal::Subsumes(): { - // First, check if aOther is an about:blank principal. If it is, then we can [...] - } - return Equals(aOther, aResult); } Now that Subsumes() is identical to Equals(), would now be a good time to remove either from the API? Not something we'd want to do for any branches, but maybe for the trunk? - In nsScriptSecurityManager::CheckSameOrigin(): + // These booleans are only used when !aIsCheckConnect. Default + // them to true, and change if that turns out wrong. + PRBool subjectSetDomain = PR_TRUE; + PRBool objectSetDomain = PR_TRUE; This seems a bit backwards and potentially error-prone to me. I'd rather see these default to false and only set to true when they're really set to true. Pretty trivial in the code as is, but who knows how this code might change down the road and defaulting to the "safer" value seems safer to me. - In content/base/src/nsGkAtomList.h: +GK_ATOM(initialDocumentInWindow, "initialDocumentInWindow") This seems a bit hokey to me (sorry). If this is something we need documents to know I'd much rather see this explicitly expressed in the nsIDocument API, not as a ad-hoc property that's set on the document (if the implementation wants to use a property, fine, but there should be an getter/setter in nsIDocument for this IMO). - In nsFrameLoader::LoadURI(): + // XXX bz I'd love to nix this, but the problem is chrome calling + // setAttribute() on an iframe or browser and passing in a javascript: URI. + // We probably don't want to run that with chrome privileges... Though in + // similar circumstances, if one sets window.location.href from chrome we + // _do_ run that with chrome privileges, so maybe we should do the same + // here? loadInfo->SetInheritOwner(PR_TRUE); I think we should do the same here, yes. But that's a change for a separate bug IMO. - In nsDocShell::Reload(): + nsCOMPtr<nsIDOMDocument> domDoc(do_GetInterface(GetAsSupports(this))); + nsCOMPtr<nsIDOMNSDocument> domNSDoc(do_QueryInterface(domDoc)); + if (domNSDoc) { + domNSDoc->GetContentType(contentTypeHint); + } + + nsCOMPtr<nsIDocument> doc(do_QueryInterface(domDoc)); nsIDocument also has a GetContentType() method in it, so no need to QI the document to nsIDOMNSDocument here since you now QI to nsIDocument anyways. Other than that this looks really good to me! sr=jst with those issues addressed.
Attachment #233524 - Flags: superreview?(jst) → superreview+
Subsumes is not the same as equals for all principals. /be
Blocks: 348672
> it seems odd to do the principal equality checks this way. Agreed, but in general equality and being same-origin are slightly different things... I do agree that once we move everything to principals instead of URIs we should be able to move the impl into the principal. > Now that Subsumes() is identical to Equals() Only for nsPrincipal. For nsSystemPrincipal they're different. > This seems a bit backwards and potentially error-prone to me Good catch. Fixed. > I'd much rather see this explicitly expressed in the nsIDocument API, Done. > I think we should do the same here, yes. But that's a change for a separate > bug Filed bug 348672. > so no need to QI the document to nsIDOMNSDocument Good catch! Done.
Attachment #233524 - Attachment is obsolete: true
Attachment #233684 - Flags: review?(mrbkap)
Attachment #233524 - Flags: review?(mrbkap)
Comment on attachment 233684 [details] [diff] [review] Updated to jst's comments This looks awesome.
Attachment #233684 - Flags: review?(mrbkap) → review+
Fixed on trunk.
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Blocks: 327109
Do we want to fix this on the Firefox 2 branch?
I personally do not, for several reasons: 1) It's a web compat change (for the better, imo, but still). 2) I don't really have the time to port this patch to branch (make it not change APIs, etc). 3) The patch may or may not work on branch as-is -- I have no idea what other already-happened trunk work it happens to depend on. Sorting this out would take a lot of time. 4) We have no guarantee that this patch doesn't break things badly, given the current state of trunk testing. I wouldn't trust it to any sort of stable branch. _Maybe_ if it had gone in for Gecko 1.8.1RC1. Maybe. 5) If I spend all my time backporting security arch work from 1.9 to 1.8, I won't get anything done for 1.9. Yes, I know I've already said something like this in #2, but I can't stress it enough.
Flags: in-testsuite?
Keywords: dev-doc-needed
This patch depends on bug 325816.
Depends on: 325816
Depends on: CVE-2007-3844
Depends on: 389274
The key here is the pref-setting and the test iterator; this was written to run as a browser test, which is not what we want. Also, the tests should use the multiple-domain support mochitests have instead of using google.com and the like.
Can someone please explain to me the ways in which this impacts documentation? I don't really understand what the parent principal is, so it's hard for me to gauge how this needs to be written up.
The main change here is that before this patch any site could access any about:blank document. After this patch, only the site that created the about:blank document can access it.
There can be more than one about:blank page? The stuff I learn...
By that I mean that there's no information anywhere on MDC that indicates that about:blank is ever anything but a local file of some kind. I need to know more about this subject in order to document it properly; any idea where I can get that info?
Basically, about:blank is a placeholder document that we use when there is no other document around. So for example: <iframe></iframe> with no src attribute set will load about:blank. Doing: window.open() in JavaScript without specifying a URI opens a window that has about:blank loaded in it. Something like <iframe src="http://www.mozilla.org/"></iframe> and then accessing the iframe's contentDocument before we've gotten a response from www.mozilla.org will create an about:blank document in that iframe and return that Document object. When the server responds, we'll load the http://www.mozilla.org/ document in place of the about:blank one. The issue here was that if, say, one did window.open() and then put some content in that window using DOM APIs (appendChild, innerHTML, etc) then anyone who could get a handle to that window somehow could read that content.
Hopefully this is now adequately covered here: http://developer.mozilla.org/en/docs/DOM:document#Security_notes Please re-mark this as doc needed if that text doesn't cover things well enough.
Keywords: dev-doc-neededdev-doc-complete
That looks great. Thank you!
Blocks: 346659
Blocks: 346663
Blocks: 346664
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: