Closed
Bug 465806
Opened 16 years ago
Closed 16 years ago
document.open should use the principal of the document whose URI it uses
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: bzbarsky, Assigned: bzbarsky)
References
Details
(Keywords: dev-doc-complete)
Attachments
(1 file, 2 obsolete files)
Right now we get the principal off the stack. Instead, we should use the document principal of the document whose URI we'll use. Since we enforce same-origin on principals, there can't be a privilege-escalation issue here.
|
Assignee | |
Comment 1•16 years ago
|
||
Oh, and we already use the securityInfo of the document in question, so this will just make everything consistent.
|
||
Comment 2•16 years ago
|
||
I'd be happy to take this, bz.
|
|
||
Comment 3•16 years ago
|
||
Not sure how to set up a mochitest for this. Other security restrictions seem to intervene before this test becomes relevant. For example, I tried open()ing the contentWindow.document of a different-origin iframe, but I couldn't access the .document at all because of the origin difference. Ideas?
Attachment #349082 -
Flags: review?(bzbarsky)
|
|
Assignee | |
Comment 4•16 years ago
|
||
Comment on attachment 349082 [details] [diff] [review]
patch without tests
callerDoc could be null here.
For what it's worth I do have a patch (written when I posted the bug); I just still need to run it through mochitest... I'll do that once I don't need my computer for an hour or so. ;)
As for testing, you could use expanded privileges to access cross-origin (do it from chrome, or grab UniversalXPConnect, e.g.)
Attachment #349082 -
Flags: review?(bzbarsky) → review-
|
|
Assignee | |
Comment 5•16 years ago
|
||
This does pass tests. Still no additional tests, though. Ben, if you want to write some up (or for that matter drive this patch in), please feel free.
Attachment #349123 -
Flags: superreview?(jst)
Attachment #349123 -
Flags: review?(jst)
|
||
Updated•16 years ago
|
Attachment #349123 -
Flags: superreview?(jst)
Attachment #349123 -
Flags: superreview+
Attachment #349123 -
Flags: review?(jst)
Attachment #349123 -
Flags: review+
|
|
||
Comment 6•16 years ago
|
||
Comment on attachment 349123 [details] [diff] [review]
What I had
+ nsCOMPtr<nsISupports> securityInfo = callerDoc->GetSecurityInfo();;
Remove the extra ';'.
Looks good to me. r+sr=jst
|
|
||
Updated•16 years ago
|
Attachment #349082 -
Attachment is obsolete: true
|
|
Assignee | |
Comment 7•16 years ago
|
||
So that patch on its own regresses bug 428653, which depends on the fact that a safe object wrapper will give the write() call a subject principal that corresponds to the untrusted page... I'll see what I can do about fixing that.
|
|
Assignee | |
Comment 8•16 years ago
|
||
Oh, and the reason that bug regresses is that we're no longer using the subject principal, of course.
|
|
Assignee | |
Comment 9•16 years ago
|
||
This also makes the viewsource test effectively test this bug.
|
|
Assignee | |
Comment 10•16 years ago
|
||
Pushed http://hg.mozilla.org/mozilla-central/rev/76ca5cd4892f.
The dev-doc-needed is because this makes document.write into an untrusted document from chrome not work in Gecko 1.9.2, even if trying to use the wrappedJSObject trick.
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Flags: in-testsuite+
Keywords: dev-doc-needed
Resolution: --- → FIXED
|
||
Comment 11•16 years ago
|
||
Docs updated: https://developer.mozilla.org/En/DOM/Document.open
Keywords: dev-doc-needed → dev-doc-complete
|
|
Assignee | |
Updated•16 years ago
|
|
|
Assignee | |
Updated•16 years ago
|
|
||
Comment 12•15 years ago
|
||
Is that means calling document.open()/document.write() from C++ code no longer works in 1.9?
That's really bad news for embedders because we already used these method in our application.
|
||
Comment 13•15 years ago
|
||
C++ could push the right context to stack? Some context from which a document can be get. Maybe the context from the document, which .open()/.write() is being called.
|
|
Assignee | |
Comment 14•15 years ago
|
||
The only C++ callers which are prevented with the new code are the ones who were potentially introducing a security hole with their call anyway. But yes, such callers are no longer allowed.
|
|
||
Comment 15•15 years ago
|
||
Hi Boris and Olli, thanks for your reply.
Currently we do something like this:
1.Get nsIWebBrowser object of current browser window.
2.Get a nsIDOMWindow object from nsIWebBrowser's contentDOMWindow attribute.
3.Get a nsIDOMHTMLDocument object from nsIDOMWindow object's 'document' attribute.
4.Call nsIDOMHTMLDocument object's open/write/close method to write something into the current browser window.
It works on 1.8 but fails on 1.9. What else should I do to make it work without introducing security hole?
|
|
Assignee | |
Comment 16•15 years ago
|
||
Do you have to do it via write()? Is using a data: URI or loadStream on the docshell not an option?
If so, you probably want to get the window's nsIScriptContext, get its JSContext, and push it on xpconnect's nsIJSContextStack before calling write(), then pop it off after.
|
|
||
Comment 17•15 years ago
|
||
Thanks. I will try it. We have ever tried loadStream , it seems to be a asynchronous operation but we need a synchronous one.
|
|
Assignee | |
Comment 18•15 years ago
|
||
If you need a syncronous one, you could consider just setting the innerHTML of the <html> node in the document...
|
|
||
Comment 19•15 years ago
|
||
setting innerHTML of the <html> node doesn't work for about:blank...
|
|
Assignee | |
Comment 20•15 years ago
|
||
That's... odd. Works fine over here.
|
||
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•