Closed Bug 535688 Opened 15 years ago Closed 15 years ago

Only hand inner windows to C++ from JS

Categories

(Core :: XPConnect, defect)

Product:
Core
Component:
XPConnect
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 536480

People

(Reporter: mrbkap, Unassigned)

Details

(Whiteboard: [sg:dupe 536480]) 

(Filing as security sensitive because bug 531364 hasn't been fixed yet)

Currently, wrappers do a security check when they are unwrapped, which prevents malicious things like addEventListener.call(cross_origin_iframe, ...). However, as moz_bug_r_a4 found out, what this really means is that they do the security check and, in the case of windows, hand out an *outer* object. This means that if JS code can force the window to change origins, then the security check becomes outdated.

We should investigate only ever handing *inner* windows out to C++ when coming in from JS, so that the security check continues to mean the same thing no matter what other program state changes.

peterv came up with a partial patch in bug 531364, but got deterred because we have to make sure that direct callers of the nsIXPConnect unwrapping APIs correctly deal with getting inner windows instead of outer windows from JS.
Er, oops.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
Whiteboard: [sg:dupe 536480]
You need to log in before you can comment on or make changes to this bug.