The problem is presumably that XUL doesn't use the scriptloader for <xul:script> and hence doesn't do the downgrading that the scriptloader does?
Summary: Possible to exploit relative script URIs in signed jars → [FIX]Possible to exploit relative script URIs in signed jars
Comment on attachment 310841 [details] [diff] [review] Fix Looks good
Comment on attachment 310841 [details] [diff] [review] Fix Extend to XUL the protection HTML already had. Only affects non-chrome XUL served inside a signed jar. Such XUL can no longer keep its signed status if it includes unsigned scripts. Might be worth beta exposure.
Can we get a test for this?
I'm not going to have time to write one in time for beta... We need some tests for bug 418996 too, and to test this we need to either copy the server-side stuff Collin set up or (better) come up with some custom signed jars that mochitests can use...
Comment on attachment 310841 [details] [diff] [review] Fix Can I get a promise that we'll get a test case for this and bug 418996? :) a1.9+ & a1.9beta5+=damons
> Can I get a promise that we'll get a test case for this and bug 418996? :) Absolutely. It's on my short-list of bugs to write tests for as soon as I have the time. I'm just not sure that will be before 1.9 ship... If someone picks this up in the meantime, great. If not, once I finish this whole dissertation thing, I'll just do it.
Filed bug 424488 on having a decent way to test this in a good controlled manner.
Checked in. Marking fixed in the sense that XUL and HTML now behave the same, though Collin found bug 424426, which affects both for now.
Status: ASSIGNED → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → FIXED
Summary: [FIX]Possible to exploit relative script URIs in signed jars → [FIX]Possible to exploit relative xul:script URIs in signed jars
Whiteboard: [sg:high] → [sg:high][needs branch patch - eta July?]
The branch patch in bug 424426 fixes this bug.
Whiteboard: [sg:high][needs branch patch - eta July?] → [sg:high][fixed on branch by 424426]
Fixed on the branch by the fix for bug 424426.
(In reply to comment #0) > See bug 418996 comment 1 and bug 418996 comment 21. > I tested the fix with the linked test case in Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:126.96.36.199pre) Gecko/2008061005 BonEcho/188.8.131.52pre and the case doesn't repro like it does for 184.108.40.206. Is there additional testing that we should do to verify this?
Component: DOM → DOM: Core & HTML
Product: Core → Core
You need to log in before you can comment on or make changes to this bug.