Last Comment Bug 424923 - Remove Cross-Site XHR
: Remove Cross-Site XHR
Status: RESOLVED FIXED
: addon-compat, relnote
Product: Core
Classification: Components
Component: XML (show other bugs)
: Trunk
: All All
: P1 normal (vote)
: mozilla1.9beta5
Assigned To: Jonas Sicking (:sicking) PTO Until July 5th
:
Mentors:
Depends on: 426308
Blocks: 408098
  Show dependency treegraph
 
Reported: 2008-03-24 22:50 PDT by Jonas Sicking (:sicking) PTO Until July 5th
Modified: 2013-02-23 10:53 PST (History)
22 users (show)
jonas: blocking1.9+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Back it out (100.65 KB, patch)
2008-03-24 22:50 PDT, Jonas Sicking (:sicking) PTO Until July 5th
jst: review+
jst: superreview+
Details | Diff | Review
Add CrossSite listener to CC (3.07 KB, patch)
2008-03-25 18:26 PDT, Ben Turner (not reading bugmail, use the needinfo flag!)
no flags Details | Diff | Review
Final backout patch (100.69 KB, patch)
2008-03-25 19:57 PDT, Jonas Sicking (:sicking) PTO Until July 5th
no flags Details | Diff | Review

Description Jonas Sicking (:sicking) PTO Until July 5th 2008-03-24 22:50:42 PDT
Created attachment 311514 [details] [diff] [review]
Back it out
Comment 1 Jonas Sicking (:sicking) PTO Until July 5th 2008-03-24 22:53:40 PDT
Comment on attachment 311514 [details] [diff] [review]
Back it out

Jst, peterv, whoever gets to this first please r/sr.
Comment 2 Mike Beltzner [:beltzner, not reading bugmail] 2008-03-24 22:58:19 PDT
Uhm, since XHR has been something we've relnoted as a feature in every previous beta, could I get a cute little snippet explaining why we're removing it?
Comment 3 Mike Shaver (:shaver -- probably not reading bugmail closely) 2008-03-25 07:04:45 PDT
Marking late-compat and cc:ing Team Evang as per project meeting, etc.
Comment 4 Mike Beltzner [:beltzner, not reading bugmail] 2008-03-25 07:46:40 PDT
Suggested relnote: "Due to late changes in the Cross Site XMLHttpRequest specification which made our implementation incomplete, it was decided to remove support for this technology rather than include only partial support."
Comment 5 Mike Shaver (:shaver -- probably not reading bugmail closely) 2008-03-25 07:53:39 PDT
We should link to the changes, then -- I don't know what they are, and I bet I and others on my team will get asked!
Comment 6 Mike Beltzner [:beltzner, not reading bugmail] 2008-03-25 10:23:18 PDT
(In reply to comment #5)
> We should link to the changes, then -- I don't know what they are, and I bet I
> and others on my team will get asked!

I believe it's encapsulated in bug 408098, but it's hard for me to tell. Jonas?
Comment 7 Johnny Stenback (:jst, jst@mozilla.com) 2008-03-25 15:02:45 PDT
Comment on attachment 311514 [details] [diff] [review]
Back it out

r+sr=jst
Comment 8 Ben Turner (not reading bugmail, use the needinfo flag!) 2008-03-25 18:26:15 PDT
Created attachment 311707 [details] [diff] [review]
Add CrossSite listener to CC

Just sticking this here for lack of a better place. I was going to post this with all the other stuff in bug 372107 to add the XS listener be part of CC since it holds other CC-classes, but since it's getting backed out I'll just put it here for reference.
Comment 9 Mike Schroepfer 2008-03-25 19:06:39 PDT
We ready to go on this?
Comment 10 Jonas Sicking (:sicking) PTO Until July 5th 2008-03-25 19:47:32 PDT
Checked in with tests.
Comment 11 Jonas Sicking (:sicking) PTO Until July 5th 2008-03-25 19:49:17 PDT
Testing actually found one bug, though one that wasn't a result of the backout but of the initial patch.

When denying a redirect it's important to not set a new channel. Otherwise we won't recognize the channel we're getting onStartRequest/onStopRequest on and we'll lock waiting for "our" channel to stop.
Comment 12 Jonas Sicking (:sicking) PTO Until July 5th 2008-03-25 19:57:08 PDT
Created attachment 311719 [details] [diff] [review]
Final backout patch

Here is the final backout patch.

When putting this back in, here is what needs to be done:

* Reland this patch
* Land bug 416957
* Add support for redirects if we think there's time
* Fix the remaining security concern (apart from the cookie issue) which is that
  code that does access-checks based on document-uri rather than
  document-principal might be exploitable.
  This can either be fixed by auditing all such code, or by making the
  document-uri and document-principal match. Or by making the document-uri
  harmless.
Comment 13 Jonas Sicking (:sicking) PTO Until July 5th 2008-03-25 20:01:20 PDT
And add back the call to
nsXMLHttpRequest::ShutdownACCache();

in nsLayoutStatics that I forgot to diff :)
Comment 14 Jonas Sicking (:sicking) PTO Until July 5th 2008-03-26 14:21:01 PDT
relnote something like this:

Cross-Site XHR has been removed due to concerns for spec stability as well as wanting to attempt to make the security model for cross-site loading of private data better.

Note You need to log in before you can comment on or make changes to this bug.