Closed
Bug 673742
Opened 14 years ago
Closed 14 years ago
Allow postMessage()ing File and FileLists between windows
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
FIXED
mozilla8
People
(Reporter: khuey, Assigned: khuey)
References
(Depends on 1 open bug)
Details
(Keywords: dev-doc-complete)
Attachments
(1 file)
|
9.68 KB,
patch
|
sicking
:
review+
|
Details | Diff | Splinter Review |
The attached patch allows the postMessage if and only if the caller's principal subsumes the target's, so I think we can do this without security review.
Attachment #547980 -
Flags: review?(jonas)
|
Assignee | |
Updated•14 years ago
|
Assignee: nobody → khuey
Status: NEW → ASSIGNED
Comment on attachment 547980 [details] [diff] [review]
Patch
Review of attachment 547980 [details] [diff] [review]:
-----------------------------------------------------------------
r=me with that fixed.
::: dom/base/nsGlobalWindow.cpp
@@ +6030,5 @@
> + nsISupports* supports = wrappedNative->Native();
> +
> + nsCOMPtr<nsIDOMBlob> blob = do_QueryInterface(supports);
> + if (blob && scInfo->subsumes)
> + scTag = SCTAG_DOM_FILE;
SCTAG_DOM_BLOB seems like a better name. Seems better to ensure that no-one casts to nsIDOMFile anywhere after checking this tag.
@@ +6277,5 @@
> // We *must* clone the data here, or the jsval could be modified
> // by script
> JSAutoStructuredCloneBuffer buffer;
> + StructuredCloneInfo scInfo;
> + scInfo.event = event.get();
The .get() here shouldn't be needed.
Attachment #547980 -
Flags: review?(jonas) → review+
|
|
Assignee | |
Comment 2•14 years ago
|
||
Going to write some tests and slip this into 8.
Keywords: dev-doc-needed
|
|
Assignee | |
Comment 3•14 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/31eddfef6549
This still needs tests, which are blocked on some SpecialPowers enhancements :-/
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla8
|
||
Comment 4•14 years ago
|
||
Documentation updated:
https://developer.mozilla.org/en/DOM/window.postMessage
Also mentioned on Firefox 8 for developers.
Keywords: dev-doc-needed → dev-doc-complete
|
||
Comment 5•14 years ago
|
||
Sorry for commenting on a closed bug, but I would like some clarification:
What exactly is meant by the following statement?
"This is only allowed if the recipient's principal is contained within the sender's principal"
Does this mean that postMessage with File/Blob/FileList objects as data is not allowed for cross-domain communication?
Doesn't this contradict the following statement?
"window.postMessage is a method for safely enabling cross-origin communication"
|
|
Assignee | |
Comment 6•14 years ago
|
||
(In reply to Sebastian Tschan from comment #5)
> Sorry for commenting on a closed bug, but I would like some clarification:
> What exactly is meant by the following statement?
>
> "This is only allowed if the recipient's principal is contained within
> the sender's principal"
>
> Does this mean that postMessage with File/Blob/FileList objects as data is
> not allowed for cross-domain communication?
Yes.
> Doesn't this contradict the following statement?
>
> "window.postMessage is a method for safely enabling cross-origin
> communication"
To some extent. We plan to allow postMessaging Files and FileLists across origins, that just needs a more in depth security review.
|
||
Comment 7•11 years ago
|
||
When is cross origins going to be implemented?
|
||
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•