Cross-site XMLHttpRequest can grant access when it shouldn't

RESOLVED FIXED in mozilla1.9beta3

Status

()

P1
normal
RESOLVED FIXED
11 years ago
6 years ago

People

(Reporter: sicking, Assigned: sicking)

Tracking

Trunk
mozilla1.9beta3
Points:
---
Bug Flags:
blocking1.9 +
in-testsuite ?

Firefox Tracking Flags

(Not tracked)

Details

(URL)

Attachments

(1 attachment)

There's a bug in the cross site XHR implementation that causes it to grant access even though it shouldn't. The problem is that even though we cancel the channel, we still keep getting onDataAvailable notifications from necko which we don't expect.

The reason I didn't detect this is that it seems that we do drop the first set of data, so if the loaded file is small enough it'll get properly blocked.

I also just realized that there might be other types of data still living on the channel that can be accessed. I'll write some tests and check that.
Flags: blocking1.9+
Priority: -- → P1
Created attachment 300281 [details] [diff] [review]
Patch to fix

Whoever gets to this first would be great to get an r/sr. The main problem here was that I was getting onDataAvailable calls even after cancelling the channel. Necko only stops feeding those if you actually return an error.

Added belts and braces code so that this shouldn't happen again.

I also made sure that we don't let through any header data for denied requests.
Attachment #300281 - Flags: superreview?(peterv)
Attachment #300281 - Flags: review?(jst)
Comment on attachment 300281 [details] [diff] [review]
Patch to fix

rubber-stamp r+sr=dbaron; please get review from jst/peterv tomorrow
Attachment #300281 - Flags: superreview?(peterv)
Attachment #300281 - Flags: superreview+
Attachment #300281 - Flags: review+
Attachment #300281 - Flags: review?(jst) → review+
Target Milestone: --- → mozilla1.9beta3
Comment on attachment 300281 [details] [diff] [review]
Patch to fix

r+sr=jst
Checked in
Status: NEW → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → FIXED

Updated

11 years ago
Flags: in-testsuite?
Attachment #300281 - Flags: review?(peterv)
Group: core-security
You need to log in before you can comment on or make changes to this bug.