Open Bug 370113 Opened 14 years ago Updated 13 years ago
IPrincipal APIs instead of Check Same Origin Principal
Very few callers of CheckSameOriginPrincipal want to actually do a same-origin check. The ones that do should be using Equals(), at least once bug 369201 is fixed. I think we should eliminate CheckSameOriginPrincipal, in fact.
One issue here might be that some people are doing CheckSameOriginPrincipal when they really only have a principal and a URI (e.g. XForms comes to mind). We probably need a separate API for that... Also, I think a lot of the nsDocument checks should be ownerDocument compares, not same-origin compares. And then we need to figure out whether we need a separate method on nsContentUtils for subsumes() testing vs same-origin testing.
Flags: blocking1.9? → blocking1.9-
I actually do think we should block on this -- we have existing security issues we can't really fix until we fix this bug. That said, fixing this once bug 369201 lands is a pretty high priority for me, so I'll probably just do it.
Please do mark depending security bugs as depending and we'll revisit at some point down the road. Or just fix it of course :)
You need to log in before you can comment on or make changes to this bug.