Closed Bug 470720 Opened 12 years ago Closed 12 years ago
XSS using XPCNative
Wrapper and quick stubs
This is trunk/1.9.1 only. By using XPCNativeWrapper, it's possible to call quick stub methods/getters/setters on cross-origin objects. Bug 468552 partially fixes this bug.
This tries to get cookies for www.mozilla.com. This works on 1.9.1. On trunk, bug 468552 fixed this testcase.
This tries to get cookies for www.mozilla.com. This works on trunk and 1.9.1.
I had confused SJOWs with native wrappers when I allowed native wrappers to unwrap XOWs. SJOWs have a CanAccess check above every call, native wrappers don't. In addition, native wrappers allow themselves to be unwrapped cross-origin, which is what hurts us here.
Comment on attachment 354231 [details] [diff] [review] Fix // Unwrap a cross origin wrapper, since we're more restrictive than it is. Since we're no longer unwrapping XOWs, update the comment. r+sr=jst
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
looks like this should be ready get approval and to go to the branch, right? is there still time to make the beta? does it need a beta cycle to catch problems?
Priority: -- → P1
Chris: this bug was subsumed by bug 472792. We shouldn't take it on the branch, but we should take my fix for that bug (which fixes this as well).
You need to log in before you can comment on or make changes to this bug.