nsDOMWindowUtils::NodesFromRect doesn't have a security check

RESOLVED FIXED in mozilla12

Status

()

Core
DOM
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: smaug, Assigned: Felipe)

Tracking

10 Branch
mozilla12
x86_64
Linux
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
I'm not sure whether this is a security bug, but it is strange to let web pages to
use DOMWindowUtils APIs.
(Reporter)

Comment 1

5 years ago
If exposing the method to web is ok, it should be added to document.

Someone in #whatwg was asking about such method.
(Assignee)

Comment 2

5 years ago
It doesn't have a check because we decided not to expose it to content at the time. See bug 489127 comment 27 and 37.

Or can webpages now access things from DOMWindowUtils? (If they do I believe this changed recently? I don't think they could when we implemented that feature)

It would be nice to expose that to content imo. IE and Webkit implemented similar APIs after we did ours, though with some slightly different behavior.
(Reporter)

Comment 3

5 years ago
Web pages have always had access to DOMWindowUtils.
Did this turn out to be a problem or not?
(Reporter)

Comment 5

5 years ago
Roc, Felipe? Do we expose anything insecure via NodesFromRect?
Does it have all the necessary cross-iframe checks etc?
We should not expose anything in DOMWindowUtils to Web content because none of it's standard and we don't want to standardize DOMWindowUtils!
So the reason to protect nodesFromRect, or DOMWindowUtils in general, from Web content is not just security but to stop them from relying on stuff there.
(Assignee)

Comment 8

5 years ago
But yeah there's no security risk in this function, the code is very similar to elementFromPoint, with the difference that it returns a list of elements and text nodes instead of just one. It only returns elements from the same document, using the same code as elementFromPoint. So to my best understanding there is nothing insecure here. (can we make the bug public?)

Let's protect this code from being called by webpages anyway due to what Roc mentioned.
I think we should add a security check here whether there's a security risk here or not. If we don't then sites might start depending on this, and we're not making any promises about any APIs exposed through DOMWindowUtils. Opening this bug cause there doesn't appear to be anything to hide here.
Group: core-security
(Assignee)

Updated

5 years ago
Assignee: nobody → felipc
(Assignee)

Comment 10

5 years ago
Created attachment 592035 [details] [diff] [review]
Patch

Trivial change + moving the test for nodesFromRect to mochitest-chrome where it'll have permission to call the function
Attachment #592035 - Flags: review?(bugs)
(Reporter)

Updated

5 years ago
Attachment #592035 - Flags: review?(bugs) → review+
(Assignee)

Comment 11

5 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/5095046dc23c
https://hg.mozilla.org/mozilla-central/rev/5095046dc23c
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla12
You need to log in before you can comment on or make changes to this bug.