Closed Bug 66332 Opened 25 years ago Closed 25 years ago

nsCodebasePrincipal::GetOrigin does not include the URL port

Categories

(Core :: Security: CAPS, defect)

Product:
Core
Component:
Security: CAPS
Platform:
x86
Windows NT
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
VERIFIED DUPLICATE of bug 66331

People

(Reporter: toml, Assigned: security-bugs)

References

(
URL
)

Details

From Bugzilla Helper: User-Agent: Mozilla/4.76 [en] (WinNT; U) BuildID: 0000000000 Using the Java plugin, I am attempting test an application called Desktop on Call. In the browser location field I type the URL which includes a port number (ie. http://abc.xyz.com:8080). The application performs LiveConnect functions that send requests from Java to JavaScript. When making a Java to JavaScript call, the Java side creates a URL, used to create a CSecurityContext, that includes the scheme, the host, and the port (if specified). The Mozilla side creates an nsCSecurityContext from the associated principal. The origins are compared in mozilla/modules/oji/src/lcglue.cpp method enter_js_from_java_impl. GetOrigin is called against the CSecurityContext object and against the nsCSecurityContext object. The first returns the URL with the scheme, the host, and the port. The second returns the URL with the scheme and the host - no port. This results in the two origins never match and the security check fails. We need to decide between the Java side and Mozilla side when to include a port on the URL. If the port is returned as -1 or as 80, we should probably not append it to the URL. mozilla/caps/src/nsCodebasePrincipal needs to be updated to return the port (if not equal to -1 or 80) in the GetOrigin method. The Java file will need to be updated as well to be in sync. Reproducible: Always Steps to Reproduce: 1. Patch mozilla/webshell/tests/viewer/nsSetupRegistry.cpp to register the LiveConnect Service. 2. Setup a web server on a port other than 80. 3. Invoke an applet from the web server (specifying the port) that performs Java to JavaScript LiveConnect: Add: MAYSCRIPT to the <APPLET> tag in the HTML Add: import netscape.javascript.JSObject; to a Java applet file Add: private JSObject window = JSObject.getWindow(this); to the init() method Actual Results: The JSObject.getWindow call will fail. Expected Results: The JSObject.getWindow call should succeed.
*** This bug has been marked as a duplicate of 66331 ***
Status: NEW → RESOLVED
Closed: 25 years ago
Resolution: --- → DUPLICATE
vrfy dup
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.