Open
Bug 370113
Opened 18 years ago
Updated 2 years ago
Use nsIPrincipal APIs instead of CheckSameOriginPrincipal
Categories
(Core :: Security, defect)
Tracking
()
NEW
People
(Reporter: bzbarsky, Assigned: dveditz)
References
Details
Very few callers of CheckSameOriginPrincipal want to actually do a same-origin check. The ones that do should be using Equals(), at least once bug 369201 is fixed. I think we should eliminate CheckSameOriginPrincipal, in fact.
Flags: blocking1.9?
Flags: blocking1.8.0.11-
Reporter | ||
Comment 1•18 years ago
|
||
One issue here might be that some people are doing CheckSameOriginPrincipal when they really only have a principal and a URI (e.g. XForms comes to mind). We probably need a separate API for that... Also, I think a lot of the nsDocument checks should be ownerDocument compares, not same-origin compares. And then we need to figure out whether we need a separate method on nsContentUtils for subsumes() testing vs same-origin testing.
Flags: blocking1.9? → blocking1.9-
Whiteboard: [wanted-1.9]
Reporter | ||
Comment 2•18 years ago
|
||
I actually do think we should block on this -- we have existing security issues we can't really fix until we fix this bug. That said, fixing this once bug 369201 lands is a pretty high priority for me, so I'll probably just do it.
Please do mark depending security bugs as depending and we'll revisit at some point down the road. Or just fix it of course :)
Updated•17 years ago
|
Flags: wanted1.9+
Whiteboard: [wanted-1.9]
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•