307 bytes, text/html
449 bytes, text/html
506 bytes, text/html
4.26 KB, patch
Mike Schroepfer: approval1.8.1+
|Details | Diff | Splinter Review|
This is a bug in DOM inspector -- it arguably should isolate itself from the page's use of new features such as the iteration protocol. I'm not sure why you filed this against the JS engine. /be
The same thing happens if a document in one domain tries to iterate over the properties of a document in another domain...
How does that cross-site scripting exploit work? Can you get at another window's document object in order to iterate it? It ought to be off limits by the same origin policy. A testcase would be good, since the DOM inspector case doesn't demonstrate this claim. /be
Created attachment 224028 [details] testcase 3 (__iterator__ on document)
Hmm, that testcase confuses Firefox's address bar.
Address bar confusion --> bug 339928.
For the cross-domain case to work, the script trying to do the for..in has to be top-level. Weird.
Created attachment 224257 [details] [diff] [review] Fix for the cross-origin testcase I haven't tested the DOMI testcase yet, but this patch fixes the cross-origin problem by doing security checks even when the only script running on cx is the top level script with no function object.
DOMI behavior is not a bug. DOMI sets xpcnativewrappers=no, use it carefully. /be
Created attachment 224271 [details] [diff] [review] Better fix I missed needsSecurityCheck the first time around.
Comment on attachment 224271 [details] [diff] [review] Better fix - In needsSecurityCheck(): cached_win_cx = cx; cached_win_wrapper = wrapper; - cached_win_needs_check = PR_TRUE; There's a few early returns after this code that relies on the static cached_win_needs_check being set to true here. So what you probably want it so just leave this line in, and add the line where you're setting it to false. r=jst with that changed.
Created attachment 224284 [details] [diff] [review] Updated
> DOMI behavior is not a bug. DOMI sets xpcnativewrappers=no, use it carefully. Don't use DOM Inspector on untrusted pages? Eww.
Comment on attachment 224284 [details] [diff] [review] Updated sr=me, thanks for fixing. Make this block the js1.7 bug please, and collect any other blockers so we can get their patches landed on the 1.8 branch in due course. /be
Fix checked into trunk.
This caused a significant Tdhtml regression. See bug 340537.
This blocks js1.7 and I think it allows top-level scripts to access properties cross-domain.
Comment on attachment 224284 [details] [diff] [review] Updated If we take this, we're also going to want the patch for bug 340537 to fix the perf regression this introduces.
May fix bug 339918
Fix checked into the 1.8 branch.
Comment on attachment 224284 [details] [diff] [review] Updated approved for 1.8.0 branch, a=dveditz for drivers
Fix checked into the 1.8.0 branch.
This bug does not affect Firefox 1.0.x or Mozilla 1.7.x
https://bugzilla.mozilla.org/attachment.cgi?id=224017 ff2b2 windows, linux alert custom iterator called https://bugzilla.mozilla.org/attachment.cgi?id=224028&action=view not sure I am testing this right. Jesse, can you verify this is fixed on firefox beta 2?
pvnick is doing a bit of research on XSS and also gathering up bugs with security related test cases to help add to the regression/certification test suites. adding him to the cc list in these...