Closed Bug 605167 Opened 10 years ago Closed 10 years ago

It's possible to access properties of a cross-origin window

Categories

(Core :: Security, defect)

x86
Windows XP
defect
Not set
normal

Tracking

()

RESOLVED FIXED
Tracking Status
blocking2.0 --- beta7+
status1.9.2 --- unaffected
status1.9.1 --- unaffected

People

(Reporter: moz_bug_r_a4, Assigned: mrbkap)

References

Details

(Keywords: regression, Whiteboard: [sg:high]fixed-in-tracemonkey)

Attachments

(2 files)

This is a regression from landing of compartments.

1. Get a function from a same-origin window.
2. Load a cross-origin page in that window.

With that function, ComputeGlobalThis gets an outer window proxy that belongs
to the cross-origin window.  Thus, it's possible to access properties of the
cross-origin window via that outer window proxy.

The attached testcase aborts a debug build:
Assertion failure: compartment mismatched, at
/home/.../mozilla/js/src/jscntxtinlines.h:513
Attached file testcase
This tries to get cookies for www.mozilla.com.
Blocks: compartments
blocking2.0: --- → beta7+
Assignee: nobody → mrbkap
Attached patch FixSplinter Review
Andreas has a patch in bug 604516 that gets rid of the inner and outer object hooks in favor of slots with the outer object for that compartment. That'll make this patch obsolete, but the upshot here is that we need to make sure that when we outerize, we return the outer window for the right compartment.

I looked through all of the cases where we outerize and it appeared that there were exactly two where we actually wanted the uncompartmentalized outer window (both in WrapperFactory.cpp).
Attachment #484098 - Flags: review?(peterv)
Attachment #484098 - Flags: review?(lw)
Comment on attachment 484098 [details] [diff] [review]
Fix

Sorry, I enjoyed the discussion, but I am unqualified to review this.
Attachment #484098 - Flags: review?(lw)
Comment on attachment 484098 [details] [diff] [review]
Fix

Please add an automated testcase.
Attachment #484098 - Flags: review?(peterv) → review+
Keywords: regression
Whiteboard: fixed-in-tracemonkey → [sg:high]fixed-in-tracemonkey
Group: core-security
You need to log in before you can comment on or make changes to this bug.