Open Bug 370113 Opened 18 years ago Updated 2 years ago

Use nsIPrincipal APIs instead of CheckSameOriginPrincipal

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Platform:
x86
Linux
Type:
defect

Tracking

()

People

(Reporter: bzbarsky, Assigned: dveditz)

References

Details

Very few callers of CheckSameOriginPrincipal want to actually do a same-origin check.  The ones that do should be using Equals(), at least once bug 369201 is fixed.

I think we should eliminate CheckSameOriginPrincipal, in fact.
Flags: blocking1.9?
Flags: blocking1.8.0.11-
One issue here might be that some people are doing CheckSameOriginPrincipal when they really only have a principal and a URI (e.g. XForms comes to mind).  We probably need a separate API for that...

Also, I think a lot of the nsDocument checks should be ownerDocument compares, not same-origin compares.

And then we need to figure out whether we need a separate method on nsContentUtils for subsumes() testing vs same-origin testing.
Flags: blocking1.9? → blocking1.9-
Whiteboard: [wanted-1.9]
I actually do think we should block on this -- we have existing security issues we can't really fix until we fix this bug.  That said, fixing this once bug 369201 lands is a pretty high priority for me, so I'll probably just do it.
Please do mark depending security bugs as depending and we'll revisit at some point down the road. Or just fix it of course :)
Depends on: 387202
Depends on: 387204
Depends on: 387212
Depends on: 387216
Depends on: 387220
Flags: wanted1.9+
Whiteboard: [wanted-1.9]
Patch in bug 418996 rips this API out.
Depends on: 418996
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.