Closed
Bug 714276
Opened 14 years ago
Closed 14 years ago
nsDOMWindowUtils::NodesFromRect doesn't have a security check
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
FIXED
mozilla12
People
(Reporter: smaug, Assigned: Felipe)
Details
Attachments
(1 file)
|
5.49 KB,
patch
|
smaug
:
review+
|
Details | Diff | Splinter Review |
I'm not sure whether this is a security bug, but it is strange to let web pages to
use DOMWindowUtils APIs.
|
Reporter | |
Comment 1•14 years ago
|
||
If exposing the method to web is ok, it should be added to document.
Someone in #whatwg was asking about such method.
|
Assignee | |
Comment 2•14 years ago
|
||
It doesn't have a check because we decided not to expose it to content at the time. See bug 489127 comment 27 and 37.
Or can webpages now access things from DOMWindowUtils? (If they do I believe this changed recently? I don't think they could when we implemented that feature)
It would be nice to expose that to content imo. IE and Webkit implemented similar APIs after we did ours, though with some slightly different behavior.
|
|
Reporter | |
Comment 3•14 years ago
|
||
Web pages have always had access to DOMWindowUtils.
|
||
Comment 4•14 years ago
|
||
Did this turn out to be a problem or not?
|
|
Reporter | |
Comment 5•14 years ago
|
||
Roc, Felipe? Do we expose anything insecure via NodesFromRect?
Does it have all the necessary cross-iframe checks etc?
We should not expose anything in DOMWindowUtils to Web content because none of it's standard and we don't want to standardize DOMWindowUtils!
So the reason to protect nodesFromRect, or DOMWindowUtils in general, from Web content is not just security but to stop them from relying on stuff there.
|
|
Assignee | |
Comment 8•14 years ago
|
||
But yeah there's no security risk in this function, the code is very similar to elementFromPoint, with the difference that it returns a list of elements and text nodes instead of just one. It only returns elements from the same document, using the same code as elementFromPoint. So to my best understanding there is nothing insecure here. (can we make the bug public?)
Let's protect this code from being called by webpages anyway due to what Roc mentioned.
|
||
Comment 9•14 years ago
|
||
I think we should add a security check here whether there's a security risk here or not. If we don't then sites might start depending on this, and we're not making any promises about any APIs exposed through DOMWindowUtils. Opening this bug cause there doesn't appear to be anything to hide here.
Group: core-security
|
|
Assignee | |
Updated•14 years ago
|
Assignee: nobody → felipc
|
|
Assignee | |
Comment 10•14 years ago
|
||
Trivial change + moving the test for nodesFromRect to mochitest-chrome where it'll have permission to call the function
Attachment #592035 -
Flags: review?(bugs)
|
|
Reporter | |
Updated•14 years ago
|
Attachment #592035 -
Flags: review?(bugs) → review+
|
|
Assignee | |
Comment 11•14 years ago
|
||
|
||
Comment 12•14 years ago
|
||
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla12
|
||
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•