Closed
Bug 605167
Opened 14 years ago
Closed 14 years ago
It's possible to access properties of a cross-origin window
Categories
(Core :: Security, defect)
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
blocking2.0 | --- | beta7+ |
status1.9.2 | --- | unaffected |
status1.9.1 | --- | unaffected |
People
(Reporter: moz_bug_r_a4, Assigned: mrbkap)
References
Details
(Keywords: regression, Whiteboard: [sg:high]fixed-in-tracemonkey)
Attachments
(2 files)
617 bytes,
text/html
|
Details | |
3.59 KB,
patch
|
peterv
:
review+
|
Details | Diff | Splinter Review |
This is a regression from landing of compartments.
1. Get a function from a same-origin window.
2. Load a cross-origin page in that window.
With that function, ComputeGlobalThis gets an outer window proxy that belongs
to the cross-origin window. Thus, it's possible to access properties of the
cross-origin window via that outer window proxy.
The attached testcase aborts a debug build:
Assertion failure: compartment mismatched, at
/home/.../mozilla/js/src/jscntxtinlines.h:513
Reporter | ||
Comment 1•14 years ago
|
||
This tries to get cookies for www.mozilla.com.
Updated•14 years ago
|
Blocks: compartments
blocking2.0: --- → beta7+
Updated•14 years ago
|
Assignee: nobody → mrbkap
Assignee | ||
Comment 2•14 years ago
|
||
Andreas has a patch in bug 604516 that gets rid of the inner and outer object hooks in favor of slots with the outer object for that compartment. That'll make this patch obsolete, but the upshot here is that we need to make sure that when we outerize, we return the outer window for the right compartment.
I looked through all of the cases where we outerize and it appeared that there were exactly two where we actually wanted the uncompartmentalized outer window (both in WrapperFactory.cpp).
Attachment #484098 -
Flags: review?(peterv)
Assignee | ||
Updated•14 years ago
|
Attachment #484098 -
Flags: review?(lw)
Comment 3•14 years ago
|
||
Comment on attachment 484098 [details] [diff] [review]
Fix
Sorry, I enjoyed the discussion, but I am unqualified to review this.
Attachment #484098 -
Flags: review?(lw)
Comment 4•14 years ago
|
||
Comment on attachment 484098 [details] [diff] [review]
Fix
Please add an automated testcase.
Attachment #484098 -
Flags: review?(peterv) → review+
Assignee | ||
Comment 5•14 years ago
|
||
Whiteboard: fixed-in-tracemonkey
Updated•14 years ago
|
status1.9.1:
--- → unaffected
status1.9.2:
--- → unaffected
Keywords: regression
Whiteboard: fixed-in-tracemonkey → [sg:high]fixed-in-tracemonkey
Assignee | ||
Comment 6•14 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/179e4661d61c
http://hg.mozilla.org/mozilla-central/rev/8851d28f1619
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Updated•14 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•