DISALLOW_INHERIT_PRINCIPAL is ignored when calling checkLoadURIWithPrincipal with aPrincipal=system principal ("javascript:" links can be set as the home page when dragged from chrome)

RESOLVED FIXED in mozilla14

Status

()

Core
Security
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: Ioana (away), Assigned: Gavin)

Tracking

(Blocks: 1 bug)

Trunk
mozilla14
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:low][qa+])

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0
Mozilla/5.0 (X11; Linux x86_64; rv:11.0) Gecko/20100101 Firefox/11.0

STR1:
1. Enter "javascript:1" in the search bar.
2. Select the text from the search bar and drag it to the Home button.

STR2:
1. Enter "javascript:1" in the location bar.
2. Select the text from the search bar and drag it to the Home button.

STR3:
1. Select "javascript:1" from this comment and drag it to the Bookmarks button.
2. Click on the Bookmarks button.
3. Select the "javascript:1" bookmark and drag it to the Home button.

Expected Results:
The user cannot set "javascript:1" (or any other "javascript:...") as his Home page by dropping it onto the Home button.

Actual Results:
The confirmation pop-up asking whether the user wants to set "javascript:1" as his Home page or not is displayed. The user can set it without any issues.
(Reporter)

Updated

5 years ago
Depends on: 718203
(Reporter)

Updated

5 years ago
Whiteboard: [qa+]
This happens because DISALLOW_INHERIT_PRINCIPAL is ignored when checkLoadURI()'s source principal is the system principal (there's an early return in nsScriptSecurityManager::CheckLoadURIWithPrincipal if aPrincipal == mSystemPrincipal).

bz, is there any chance we could change that?
I think so, yes.  Specifically, hoisting the DISALLOW_INHERIT_PRINCIPAL check above the mSystemPrincipal check would make a lot of sense to me.  I would have thought we had an existing bug on that, but I don't see one....
Whiteboard: [qa+] → [sg:low][qa+]
Blocks: 735738
Component: Tabbed Browser → Security
Product: Firefox → Core
QA Contact: tabbed.browser → toolkit
Summary: "javascript:" can be set as Home page by dragging & dropping it from privileged context to the Home button → DISALLOW_INHERIT_PRINCIPAL is ignored when calling checkLoadURIWithPrincipal with aPrincipal=system principal ("javascript:" links can be set as the home page when dragged from chrome)
Created attachment 605884 [details] [diff] [review]
patch
Assignee: nobody → gavin.sharp
Status: NEW → ASSIGNED
Attachment #605884 - Flags: review?(bzbarsky)
Comment on attachment 605884 [details] [diff] [review]
patch

It's worth adding to the end of that comment that we want to do this even for the system principal.

r=me
Attachment #605884 - Flags: review?(bzbarsky) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/bf542c70745f
Flags: in-testsuite+
Target Milestone: --- → mozilla14
https://hg.mozilla.org/mozilla-central/rev/bf542c70745f
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Version: 11 Branch → Trunk
You need to log in before you can comment on or make changes to this bug.