Closed Bug 546856 Opened 11 years ago Closed 11 years ago
Drop support for XBL1 on web sites
As I mentioned on http://blog.mozilla.com/security/2010/02/10/fixing-security-holes-without-introducing-new-bugs/, XBL is a major source of security problems. Also, we know we want to replace it with something else, so we might as well remove it before more people start using it. To really close the attack surface, we may need to change how marquee and media controls work, but that can happen later IMO.
See bug 379644. In particular the analysis in bug 379644 comment 45. I assume that this bug is about making it so that only privileged stylesheets (user(?), UA, chrome; do we give skin stylesheets system principals?) can link to XBL, basically? That would address threat (A) from that comment and maybe threat (C) (though I think we have (C) solved already), and perhaps make (B) more difficult. It's effectively mitigation strategy (1) from the abovementioned comment, right?
This is happening as part of bug 546857. Duping.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: kill-remote-xul
You need to log in before you can comment on or make changes to this bug.