Closed
Bug 535688
Opened 15 years ago
Closed 15 years ago
Only hand inner windows to C++ from JS
Categories
(Core :: XPConnect, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 536480
People
(Reporter: mrbkap, Unassigned)
Details
(Whiteboard: [sg:dupe 536480])
(Filing as security sensitive because bug 531364 hasn't been fixed yet) Currently, wrappers do a security check when they are unwrapped, which prevents malicious things like addEventListener.call(cross_origin_iframe, ...). However, as moz_bug_r_a4 found out, what this really means is that they do the security check and, in the case of windows, hand out an *outer* object. This means that if JS code can force the window to change origins, then the security check becomes outdated. We should investigate only ever handing *inner* windows out to C++ when coming in from JS, so that the security check continues to mean the same thing no matter what other program state changes. peterv came up with a partial patch in bug 531364, but got deterred because we have to make sure that direct callers of the nsIXPConnect unwrapping APIs correctly deal with getting inner windows instead of outer windows from JS.
Reporter | ||
Comment 1•15 years ago
|
||
Er, oops.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
Updated•14 years ago
|
Whiteboard: [sg:dupe 536480]
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•