Closed Bug 732413 Opened 13 years ago Closed 12 years ago

DISALLOW_INHERIT_PRINCIPAL is ignored when calling checkLoadURIWithPrincipal with aPrincipal=system principal ("javascript:" links can be set as the home page when dragged from chrome)

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla14

People

(Reporter: ioana_damy, Assigned: Gavin)

References

Details

(Whiteboard: [sg:low][qa+])

Attachments

(1 file)

patch
6.99 KB, patch
bzbarsky
: review+
Details | Diff | Splinter Review 
Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0
Mozilla/5.0 (X11; Linux x86_64; rv:11.0) Gecko/20100101 Firefox/11.0

STR1:
1. Enter "javascript:1" in the search bar.
2. Select the text from the search bar and drag it to the Home button.

STR2:
1. Enter "javascript:1" in the location bar.
2. Select the text from the search bar and drag it to the Home button.

STR3:
1. Select "javascript:1" from this comment and drag it to the Bookmarks button.
2. Click on the Bookmarks button.
3. Select the "javascript:1" bookmark and drag it to the Home button.

Expected Results:
The user cannot set "javascript:1" (or any other "javascript:...") as his Home page by dropping it onto the Home button.

Actual Results:
The confirmation pop-up asking whether the user wants to set "javascript:1" as his Home page or not is displayed. The user can set it without any issues.
Depends on: 718203
Whiteboard: [qa+]
This happens because DISALLOW_INHERIT_PRINCIPAL is ignored when checkLoadURI()'s source principal is the system principal (there's an early return in nsScriptSecurityManager::CheckLoadURIWithPrincipal if aPrincipal == mSystemPrincipal).

bz, is there any chance we could change that?
I think so, yes.  Specifically, hoisting the DISALLOW_INHERIT_PRINCIPAL check above the mSystemPrincipal check would make a lot of sense to me.  I would have thought we had an existing bug on that, but I don't see one....
Whiteboard: [qa+] → [sg:low][qa+]
Component: Tabbed Browser → Security
Product: Firefox → Core
QA Contact: tabbed.browser → toolkit
Summary: "javascript:" can be set as Home page by dragging & dropping it from privileged context to the Home button → DISALLOW_INHERIT_PRINCIPAL is ignored when calling checkLoadURIWithPrincipal with aPrincipal=system principal ("javascript:" links can be set as the home page when dragged from chrome)
Attached patch patchSplinter Review 
Assignee: nobody → gavin.sharp
Status: NEW → ASSIGNED

        Attachment #605884 -
        Flags: review?(bzbarsky)

    
    

    
  
Comment on attachment 605884 [details] [diff] [review]
patch

It's worth adding to the end of that comment that we want to do this even for the system principal.

r=me

        Attachment #605884 -
        Flags: review?(bzbarsky) → review+

    
    

    
  
https://hg.mozilla.org/integration/mozilla-inbound/rev/bf542c70745f
Flags: in-testsuite+
Target Milestone: --- → mozilla14

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/bf542c70745f
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Version: 11 Branch → Trunk

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: