Closed
Bug 488446
Opened 15 years ago
Closed 15 years ago
Disallow localStorage data manipulation in PB and session-only mode, follow up to bug 486654
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: mayhemer, Assigned: mayhemer)
References
Details
Attachments
(1 file)
5.22 KB,
patch
|
Details | Diff | Splinter Review |
(In reply to bug 486654 comment #18) > (In reply to bug 486654 comment #15) > > What I suggest now after I completely went through the Brady's thread is to > > throw a DOM_SECURITY_ERROR when accessing window.localStorage object while in > > either private-browsing-mode or session-only-cookies-mode. The letter is > > already implemented. > > A brain-dead way to break this would be: > > var storage = window.localStorage; > // use |storage| from this point forward > > Any web page which does that will not be affected by the user changing their > cookie settings, unless it's reloaded. Based on these comments make sure to throw the same security error when accessing dom storage data (getItem, setItem) while in either private-browsing-mode or session-only-cookies-mode. This is just a followup to have a complete 20/80 solution before we fix bug 487695. Should be b191+ if we don't get fix bug 487695.
Flags: blocking1.9.1?
Assignee | ||
Comment 1•15 years ago
|
||
mSessionOnly member of nsDOMStorage is set when cookies are in session-only mode OR we are PB mode. I added this condition to nsDOMStorage::CanUseStorage. Then, when checking access to localStorage (only localStorage) with setItem or getItem we throw a security error when being session only (addresses this bug). Confirmed by a test.
Assignee | ||
Updated•15 years ago
|
Attachment #373138 -
Flags: review?(dveditz)
Assignee | ||
Comment 2•15 years ago
|
||
Comment on attachment 373138 [details] [diff] [review] wip 1 Sorry to rise r? so late...
Comment 3•15 years ago
|
||
(In reply to comment #0) > Should be b191+ if we don't get fix bug 487695. Bug 487695 is blocking, so this one isn't per this logic!
Flags: blocking1.9.1? → blocking1.9.1-
Assignee | ||
Updated•15 years ago
|
Attachment #373138 -
Flags: review?(dveditz)
Assignee | ||
Comment 4•15 years ago
|
||
Comment on attachment 373138 [details] [diff] [review] wip 1 We have a correct patch for this issue in bug 487695. No need to review this.
Comment 5•15 years ago
|
||
So this bug is WONTFIX?
Assignee | ||
Comment 6•15 years ago
|
||
After bug 487695 gets fixed, we probably can. This was intended as a quick workaround.
Assignee | ||
Comment 7•15 years ago
|
||
Bug 487695 has just landed.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → WONTFIX
Updated•11 years ago
|
Component: DOM: Mozilla Extensions → DOM
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•