Closed
Bug 387216
Opened 17 years ago
Closed 8 years ago
Reconsider explicit same-origin checks in nsSchemaLoader and nsXFormsUtils
Categories
(Core Graveyard :: XForms, defect)
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: bzbarsky, Unassigned)
References
(Blocks 1 open bug)
Details
In particular, what behavior is wanted here with signed jars? Should one be able to link from inside a signed jar to things from the same site? To things with the same signed jar? Should one be able to link from an unsigned part of a site to schema from a signed jar? Perhaps the check should be performed post-load, on the principal of the result, not pre-load?
Reporter | ||
Comment 1•17 years ago
|
||
nsXFormsUtils has a similar setup, but there it's possible that we're checking whether it's OK to _send_ data. Perhaps we need a principal version of nsIScriptSecurityManager::CheckConnect or something? One that would handle document.domain being set correctly, unlike CheckSameOriginPrincipal?
Summary: Consider eliminating explicit same-origin check in nsSchemaLoader → Reconsider explicit same-origin checks in nsSchemaLoader and nsXFormsUtils
Reporter | ||
Comment 2•16 years ago
|
||
This code has switched to CheckMayLoad(), looks like. It's still not clear that this is the right thing for it to be doing, but ok.
Comment 3•8 years ago
|
||
RIP xforms
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WONTFIX
Assignee | ||
Updated•8 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•