Closed Bug 413071 Opened 13 years ago Closed 13 years ago

Cross-site XMLHttpRequest can grant access when it shouldn't

Categories

(Core :: XML, defect, P1)

defect

Tracking

()

RESOLVED FIXED
mozilla1.9beta3

People

(Reporter: sicking, Assigned: sicking)

References

()

Details

Attachments

(1 file)

There's a bug in the cross site XHR implementation that causes it to grant access even though it shouldn't. The problem is that even though we cancel the channel, we still keep getting onDataAvailable notifications from necko which we don't expect.

The reason I didn't detect this is that it seems that we do drop the first set of data, so if the loaded file is small enough it'll get properly blocked.

I also just realized that there might be other types of data still living on the channel that can be accessed. I'll write some tests and check that.
Flags: blocking1.9+
Priority: -- → P1
Attached patch Patch to fixSplinter Review
Whoever gets to this first would be great to get an r/sr. The main problem here was that I was getting onDataAvailable calls even after cancelling the channel. Necko only stops feeding those if you actually return an error.

Added belts and braces code so that this shouldn't happen again.

I also made sure that we don't let through any header data for denied requests.
Attachment #300281 - Flags: superreview?(peterv)
Attachment #300281 - Flags: review?(jst)
Attachment #300281 - Attachment is patch: true
Attachment #300281 - Attachment mime type: application/octet-stream → text/plain
Comment on attachment 300281 [details] [diff] [review]
Patch to fix

rubber-stamp r+sr=dbaron; please get review from jst/peterv tomorrow
Attachment #300281 - Flags: superreview?(peterv)
Attachment #300281 - Flags: superreview+
Attachment #300281 - Flags: review+
Attachment #300281 - Flags: review?(jst) → review+
Target Milestone: --- → mozilla1.9beta3
Comment on attachment 300281 [details] [diff] [review]
Patch to fix

r+sr=jst
Checked in
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Flags: in-testsuite?
Attachment #300281 - Flags: review?(peterv)
Group: core-security
You need to log in before you can comment on or make changes to this bug.