413071 - Cross-site XMLHttpRequest can grant access when it shouldn't

Status: RESOLVED FIXED

(Core :: XML, defect, P1)

Description

[Jonas Sicking (:sicking) No longer reading bugmail consistently]

There's a bug in the cross site XHR implementation that causes it to grant access even though it shouldn't. The problem is that even though we cancel the channel, we still keep getting onDataAvailable notifications from necko which we don't expect.

The reason I didn't detect this is that it seems that we do drop the first set of data, so if the loaded file is small enough it'll get properly blocked.

I also just realized that there might be other types of data still living on the channel that can be accessed. I'll write some tests and check that.

Comment 1

[Jonas Sicking (:sicking) No longer reading bugmail consistently]

Attachment: Patch to fix

Whoever gets to this first would be great to get an r/sr. The main problem here was that I was getting onDataAvailable calls even after cancelling the channel. Necko only stops feeding those if you actually return an error.

Added belts and braces code so that this shouldn't happen again.

I also made sure that we don't let through any header data for denied requests.

Comment 2

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

Comment on attachment 300281 [details] [diff] [review]
Patch to fix

rubber-stamp r+sr=dbaron; please get review from jst/peterv tomorrow

Comment 3

[Johnny Stenback (:jst)]

Comment on attachment 300281 [details] [diff] [review]
Patch to fix

r+sr=jst

Comment 4

[Jonas Sicking (:sicking) No longer reading bugmail consistently]

Checked in