Closed Bug 441845 Opened 17 years ago Closed 1 year ago

Security regression: cannot access through DOM external stylesheets

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Platform:
x86
Linux
Type:
defect

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: elvanor2007, Unassigned)

References

(
URL
)

Details

Attachments

(1 file)

Test case
1.05 KB, text/html
Details
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9) Gecko/2008062112 (Gentoo) Firefox/3.0 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9) Gecko/2008062112 (Gentoo) Firefox/3.0 With Firefox 2 this caused no problems. With Firefox 3 if you visit the above link (you normally need Firebug), you will see that the final console.log("Done") is never executed because the JS script dies before when it tries to access the external stylesheet. This is a bug because the stylesheets properties are properly applied, so why can't they be modified via JS? Reproducible: Always Steps to Reproduce: 1. 2. 3.
> With Firefox 2 this caused no problems. Actually, I get pretty much the exact same behavior in FF2+Firebug as in FF3+Firebug. Talked to Jean-Noel (Elvanor) in IRC, and he confirmed that it actually has the same error in Firefox 2, though he says his original site showed a difference between the two. Jean-Noel: Please post another testcase (ideally, attach it to bug, rather than just posting a URL), or we'll just close this bug as INVALID.
Yes. I am trying to understand what's the difference between FF 2 and FF 3 then, because as I said my previous web application (hosted at www.shoopz.com) worked fine under FF 2. When I managed to get this small test case failing under FF 3 I thought I got the regression right - but since FF 2 also fails here, there is something else going on... trying to understand what now.
Attached file Test case
Ok, got it. I have now attached a test case that worked under FF 2 but fails under FF 3 (I also updated my link with the new version).
I do see a difference at the URL between Firefox 2 and Firefox 3 -- Firefox 3 shows this in JS console: Error: uncaught exception: [Exception... "Security error" code: "1000" nsresult: "0x805303e8 (NS_ERROR_DOM_SECURITY_ERR)" location: "http://www.elvanor.net/test/ff3-stylesheets.html Line: 18"] The attached testcase actually works in FF3, but I think it's because the CSS file it's referencing is from the same domain as where the testcase is hosted. (bugzilla.mozilla.org) Presumably if the attached testcase were modified to use a stylesheet on a remote server, it would trigger the error.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: Seucrity regression: cannot access through DOM external stylesheets → Security regression: cannot access through DOM external stylesheets
this is a pretty old bug, but looking at the code and comments in "layout/style/CSSStyleSheet.cpp" in the call to "CSSStyleSheet::SubjectSubsumesInnerPrincipal()", this behaviour seems to be pretty much wanted due to some CORS check: "// Allow access only if CORS mode is not NONE" By "this behaviour" I mean access to CSS rules from a cross-origin stylesheet through for example "document.styleSheets[some_index].cssRules". So, I think the error message "SecurityError: The operation is insecure" can be improved to say why it actually fails. But otherwise, this bug can be closed?
Product: Firefox → Core

Hi daniel, im sorry to bother you with this old bug, Im trying to reproduce it but the steps are not very clear and the original reporter has a deactivated account. I was wondering if you know if this issue is still valid or if we can close it.

tanks

Flags: needinfo?(dholbert)

STR:

  1. Open Web Console.
  2. Navigate the attachment in comment #3.

Actual result:

1
OK
Uncaught DOMException: CSSStyleSheet.deleteRule: Not allowed to access cross-origin stylesheet

will be written to Web Console.

Expected result:

1
OK
Done

should be written to Web Console.

When comment #5 was written, the attached test case "worked" because Bugzilla attachments were hosted on the same domain as the stylesheet (bugzilla.mozilla.org). But currently attachments are hosted on a different domain (bmoattachments.org). So the test case will fail as "expected".

That said, I don't think we should "fix" this "regression".

  1. Obviously this change is introduced intentionally to fix cross-domain information leak.
  2. Chrome also fails with the test case.
Flags: needinfo?(dholbert)

(In reply to dhausknecht from comment #6)

So, I think the error message "SecurityError: The operation is insecure" can
be improved to say why it actually fails.

Now the message is improved (Uncaught DOMException: CSSStyleSheet.deleteRule: Not allowed to access cross-origin stylesheet).

In the process of migrating remaining bugs to the new severity system, the severity for this bug cannot be automatically determined. Please retriage this bug using the new severity system.

Severity: major → --

The severity field is not set for this bug.
:dveditz, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(dveditz)

I think we can close this as invalid.

Comment 6 indicates that the "new" (Firefox 3) behavior was intentional/per-spec, though the error message wasn't great at the time. And since then, the error message has been improved (per comment 9), so that followup concern is also no longer an issue.

Status: NEW → RESOLVED
Closed: 1 year ago
Flags: needinfo?(dveditz)
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: