Closed
Bug 595207
Opened 14 years ago
Closed 14 years ago
E4X function:: namespace allows recognizing user despite clearing private data
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla2.0
| Tracking | Status | |
|---|---|---|
| blocking2.0 | --- | betaN+ |
People
(Reporter: jwkbugzilla, Assigned: igor)
References
()
Details
(Keywords: privacy, Whiteboard: fixed-in-tracemonkey)
Attachments
(3 files, 2 obsolete files)
|
189 bytes,
text/html
|
Details | |
|
3.85 KB,
patch
|
igor
:
review+
|
Details | Diff | Splinter Review |
|
8.08 KB,
patch
|
igor
:
review+
|
Details | Diff | Splinter Review |
The issue has been published by Gareth Heyes in his blog: http://www.thespanner.co.uk/2010/09/10/function-is-the-new-window/ I am still marking this bug as security sensitive just in case, the privacy implications aren't exactly pointed out in his post. It seems that using "@mozilla.org/js/function" as namespace only works after function:: namespace was used at least once. This allows to "tag" a user for a browser session, he can be recognized as a returning visitor despite clearing all private data as long as the browser isn't closed. The attached testcase demonstrates this - this page will recognize whether it was opened for the first time. Reproduced with Firefox 3.6.9 and Minefield build 20100910 on Windows 7 x64.
|
||
Comment 1•14 years ago
|
||
The bit of information here is not per site, it is JSRuntime-wide, so global among all browser contexts (windows/frames/tabs/etc.). So two sites couldn't track separately. Patch in a few. /be
|
|
||
Comment 2•14 years ago
|
||
|
|
||
Updated•14 years ago
|
blocking2.0: --- → ?
|
|
||
Comment 3•14 years ago
|
||
Comment on attachment 474205 [details] [diff] [review] fix Wrong patch. /be
Attachment #474205 -
Attachment is obsolete: true
Attachment #474205 -
Flags: review?(igor)
|
|
||
Comment 4•14 years ago
|
||
It is hard to ban anti-URIs (the interal one starting with '@' is one instance) that are used internally, since jsxml.cpp constructs QNames using a constructor call. No secret argument channel to advise the ctor by which to whitelist the internal caller. So the cat's out of the bag and I need to minimize the patch (and time spent on it), so I'm fixing this bug by recognizing "@mozilla.org/js/function" as the URI of the function:: namespace. /be
Attachment #474219 -
Flags: review?(igor)
|
Assignee | |
Comment 5•14 years ago
|
||
Comment on attachment 474219 [details] [diff] [review] fix, take 2 >diff --git a/js/src/jsxml.cpp b/js/src/jsxml.cpp >--- a/js/src/jsxml.cpp >+++ b/js/src/jsxml.cpp >@@ -2785,24 +2785,31 @@ ReportBadXMLName(JSContext *cx, const Va > > static JSBool > IsFunctionQName(JSContext *cx, JSObject *qn, jsid *funidp) > { > JSAtom *atom; > JSString *uri; > > atom = cx->runtime->atomState.lazy.functionNamespaceURIAtom; >+ if (!atom) { >+ Value v; >+ if (!js_GetFunctionNamespace(cx, &v)) >+ return false; >+ atom = cx->runtime->atomState.lazy.functionNamespaceURIAtom; >+ } >+ > uri = GetURI(qn); >- if (uri && atom && >+ if (uri && > (uri == ATOM_TO_STRING(atom) || > js_EqualStrings(uri, ATOM_TO_STRING(atom)))) { > return JS_ValueToId(cx, STRING_TO_JSVAL(GetLocalName(qn)), funidp); > } > *funidp = JSID_VOID; >- return JS_TRUE; >+ return true; > } This looks reasonable but what about simply making functionNamespaceURIAtom non-lazy?
Attachment #474219 -
Flags: review?(igor) → review+
|
|
Assignee | |
Comment 7•14 years ago
|
||
The patch makes functionNamespaceURIAtom non-lazy.
Assignee: brendan → igor
Attachment #475032 -
Flags: review?(brendan)
|
|
||
Comment 8•14 years ago
|
||
Comment on attachment 475032 [details] [diff] [review] being non-lazy Where's the test? Need to hg add it, maybe. Ok, cleanups aside this is conceptually simpler, but is the minimal patch (take out all cleanups) actually smaller? I hate taking on startup cost for E4X. r=me in trade. Igor,could you please take this bug? /be
Attachment #475032 -
Flags: review?(brendan) → review+
|
|
||
Comment 9•14 years ago
|
||
I don't see why this bug should be s-s. The issue is already known, right? It's a one-bit, one-time-per-session-per-site tracking problem. /be
|
|
||
Comment 10•14 years ago
|
||
Jesse, could use your refereeing here -- if you agree with comment 9, please open this bug. /be
|
|
Assignee | |
Comment 11•14 years ago
|
||
Here is a minimized patch. Clearly it is not smaller than the attachment 4 [details] [diff] [review] but it also fixes a similar problem in JSObject::getCompartment. As regarding the startup cost if we just remove the lazy atoms then simpler code with less if checks for null atoms in JS_ResolveStandardClass may well offset that. Besides, if the cost is measurable, then we may want to use something like static strings for atoms (bug 596229).
Attachment #475032 -
Attachment is obsolete: true
Attachment #475094 -
Flags: review+
|
||
Updated•14 years ago
|
Group: core-security
|
|
Assignee | |
Comment 12•14 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/50b1fa3d2de8
Whiteboard: fixed-in-tracemonkey
|
||
Comment 13•14 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/50b1fa3d2de8
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
|
|
||
Updated•14 years ago
|
blocking2.0: ? → betaN+
You need to log in
before you can comment on or make changes to this bug.
Description
•