If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Bypassing XOW by using chrome XBL or JS




7 years ago
2 years ago


(Reporter: moz_bug_r_a4, Assigned: mrbkap)


Windows XP

Firefox Tracking Flags

(blocking1.9.2 -, status1.9.2 wontfix, blocking1.9.1 -, status1.9.1 wontfix)


(Whiteboard: [needs answer to comment 10 from mrbkap][sg:high])



7 years ago

2475 nsXPConnect::GetWrapperForObject(JSContext* aJSContext,
2476                                  JSObject* aObject,
2477                                  JSObject* aScope,
2478                                  nsIPrincipal* aPrincipal,
2479                                  PRUint32 aFilenameFlags,
2480                                  jsval* _retval)
2481 {
2546     // We can do nothing if:
2547     // - We're wrapping a system object
2548     // or
2549     //   - We're from the same *scope* AND
2550     //   - We're not about to force a XOW (e.g. for "window") OR
2551     //   - We're not actually going to create a XOW (we're wrapping for
2552     //     chrome).
2553     if(aObject->isSystem() ||
2554        (sameScope &&
2555         (!forceXOW || (aFilenameFlags & JSFILENAME_SYSTEM))))
2556         return NS_OK;

With the attached testcase, aObject is a content window, sameScope is 1,
forceXOW is 1, and aFilenameFlags is 3, thus the window is not wrapped in a
security wrapper.

Comment 1

7 years ago
Created attachment 461169 [details]

This tries to get cookies for www.mozilla.com.

Comment 2

7 years ago
I get Error: Permission denied for <https://bug582913.bugzilla.mozilla.org> to get property Window.eval from <http://www.mozilla.com>.
Source File: https://bug582913.bugzilla.mozilla.org/attachment.cgi?id=461169&t=vmrreYjVPp
Line: 33

Comment 3

7 years ago
(In reply to comment #2)
> I get Error: Permission denied for <https://bug582913.bugzilla.mozilla.org> to
> get property Window.eval from <http://www.mozilla.com>.
> Source File:
> https://bug582913.bugzilla.mozilla.org/attachment.cgi?id=461169&t=vmrreYjVPp
> Line: 33

Do you get the error only on trunk?  If so, which text do you see near the
iframe?  "null" or "[object HTMLElement]"?

I can reproduce the testcase on trunk, 1.9.2 and 1.9.1 on Windows and Linux.

Comment 4

7 years ago
trunk mac os x 10.5. [object HTMLElement] 500 is what i saw next to the iframe. I'll check the others in a bit.

Comment 5

7 years ago
On trunk, the testcase tries to force GC in order to remove a cached XOW.  If
GC happens, the text should be "null" instead of "[object HTMLElement]".

In my machines, GC can happen after looping about 100 times.  What happens if
you change the code in function gc: 500 into a larger number?

Comment 6

7 years ago
Created attachment 461513 [details]
testcase 2

This does not try to force GC.  I can reproduce this on trunk.

Bob, could you test this?
Whiteboard: [sg:high]

Comment 7

7 years ago
testcase1 and testcase2 work in 1.9.1, 1.9.2 but not 1.9.3 on mac os x.
Assignee: nobody → mrbkap

Comment 8

7 years ago
This was fixed by compartments. moz_bug_r_a4, can you verify?
Last Resolved: 7 years ago
Resolution: --- → FIXED

Comment 9

7 years ago

On fx-4.0b8pre-2010-11-09-07, I cannot reproduce the testcases, and I get this
error: Error: Permission denied to access property 'eval'
blocking1.9.1: --- → ?
blocking1.9.2: --- → ?
status1.9.1: --- → wanted
status1.9.2: --- → wanted
Is there any possibility of a non-compartments fix for the branches?
blocking1.9.1: ? → needed
blocking1.9.2: ? → needed
Whiteboard: [sg:high] → [needs answer to comment 10 from mrbkap][sg:high]
This will have to be "wontfix" on old branches -- the whole point of Compartments is to fix bugs like this that we couldn't fix another way, and we're not back-porting Compartments and everything else that would require.
blocking1.9.1: needed → -
blocking1.9.2: needed → -
status1.9.1: wanted → wontfix
status1.9.2: wanted → wontfix


2 years ago
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.