307 bytes, text/html
449 bytes, text/html
506 bytes, text/html
4.26 KB, patch
|Details | Diff | Splinter Review|
This is a bug in DOM inspector -- it arguably should isolate itself from the page's use of new features such as the iteration protocol. I'm not sure why you filed this against the JS engine. /be
The same thing happens if a document in one domain tries to iterate over the properties of a document in another domain...
How does that cross-site scripting exploit work? Can you get at another window's document object in order to iterate it? It ought to be off limits by the same origin policy. A testcase would be good, since the DOM inspector case doesn't demonstrate this claim. /be
Hmm, that testcase confuses Firefox's address bar.
Address bar confusion --> bug 339928.
For the cross-domain case to work, the script trying to do the for..in has to be top-level. Weird.
I haven't tested the DOMI testcase yet, but this patch fixes the cross-origin problem by doing security checks even when the only script running on cx is the top level script with no function object.
OS: Windows XP → All
Priority: -- → P2
Hardware: PC → All
Target Milestone: --- → mozilla1.9alpha
DOMI behavior is not a bug. DOMI sets xpcnativewrappers=no, use it carefully. /be
I missed needsSecurityCheck the first time around.
Comment on attachment 224271 [details] [diff] [review] Better fix - In needsSecurityCheck(): cached_win_cx = cx; cached_win_wrapper = wrapper; - cached_win_needs_check = PR_TRUE; There's a few early returns after this code that relies on the static cached_win_needs_check being set to true here. So what you probably want it so just leave this line in, and add the line where you're setting it to false. r=jst with that changed.
Attachment #224271 - Flags: review?(jst) → review+
> DOMI behavior is not a bug. DOMI sets xpcnativewrappers=no, use it carefully. Don't use DOM Inspector on untrusted pages? Eww.
Comment on attachment 224284 [details] [diff] [review] Updated sr=me, thanks for fixing. Make this block the js1.7 bug please, and collect any other blockers so we can get their patches landed on the 1.8 branch in due course. /be
Attachment #224284 - Flags: superreview?(brendan) → superreview+
Fix checked into trunk.
Status: ASSIGNED → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → FIXED
This caused a significant Tdhtml regression. See bug 340537.
This blocks js1.7 and I think it allows top-level scripts to access properties cross-domain.
Comment on attachment 224284 [details] [diff] [review] Updated If we take this, we're also going to want the patch for bug 340537 to fix the perf regression this introduces.
May fix bug 339918
Whiteboard: requires 340537
Summary: __iterator__ defined by web page is called by DOM Inspector → needsSecurityCheck() incorrect for top-level scripts
Whiteboard: requires 340537 → [sg:high] xss? requires 340537
Flags: blocking1.8.1? → blocking1.8.1+
Target Milestone: mozilla1.9alpha → mozilla1.8.1beta1
Fix checked into the 1.8 branch.
Comment on attachment 224284 [details] [diff] [review] Updated approved for 1.8.0 branch, a=dveditz for drivers
Attachment #224284 - Flags: approval188.8.131.52? → approval184.108.40.206+
Fix checked into the 1.8.0 branch.
This bug does not affect Firefox 1.0.x or Mozilla 1.7.x
Whiteboard: [sg:high] xss? requires 340537 → [sg:high] xss? requires 340537 (not 1.7/aviary)
https://bugzilla.mozilla.org/attachment.cgi?id=224017 ff2b2 windows, linux alert custom iterator called https://bugzilla.mozilla.org/attachment.cgi?id=224028&action=view not sure I am testing this right. Jesse, can you verify this is fixed on firefox beta 2?
pvnick is doing a bit of research on XSS and also gathering up bugs with security related test cases to help add to the regression/certification test suites. adding him to the cc list in these...
Component: DOM → DOM: Core & HTML
Product: Core → Core
You need to log in before you can comment on or make changes to this bug.