Closed Bug 546856 Opened 14 years ago Closed 14 years ago

Drop support for XBL1 on web sites

Categories

(Core :: XBL, defect)

Product:
Core
Component:
XBL
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 546857
Tracking Flags:
Tracking Status
blocking2.0 --- beta4+

People

(Reporter: jruderman, Unassigned)

References

Details

(Whiteboard: [sg:want P1]) 

As I mentioned on http://blog.mozilla.com/security/2010/02/10/fixing-security-holes-without-introducing-new-bugs/, XBL is a major source of security problems.

Also, we know we want to replace it with something else, so we might as well remove it before more people start using it.

To really close the attack surface, we may need to change how marquee and media controls work, but that can happen later IMO.
See bug 379644.  In particular the analysis in bug 379644 comment 45.

I assume that this bug is about making it so that only privileged stylesheets (user(?), UA, chrome; do we give skin stylesheets system principals?) can link to XBL, basically?  That would address threat (A) from that comment and maybe threat (C) (though I think we have (C) solved already), and perhaps make (B) more difficult.  It's effectively mitigation strategy (1) from the abovementioned comment, right?
Whiteboard: [sg:want P1]
blocking2.0: --- → ?
Blocks: 532808
This is happening as part of bug 546857. Duping.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
blocking2.0: ? → beta4+
You need to log in before you can comment on or make changes to this bug.