Persona is no longer an option for authentication on BMO. For more details see Persona Deprecated.
Last Comment Bug 732413 - DISALLOW_INHERIT_PRINCIPAL is ignored when calling checkLoadURIWithPrincipal with aPrincipal=system principal ("javascript:" links can be set as the home page when dragged from chrome)
: DISALLOW_INHERIT_PRINCIPAL is ignored when calling checkLoadURIWithPrincipal ...
Product: Core
Classification: Components
Component: Security (show other bugs)
: Trunk
: All All
: -- normal (vote)
: mozilla14
Assigned To: :Gavin Sharp [email:]
: David Keeler [:keeler] (use needinfo?)
Depends on: 718203
Blocks: 735738
  Show dependency treegraph
Reported: 2012-03-02 07:31 PST by Ioana (away)
Modified: 2012-03-20 03:47 PDT (History)
6 users (show) in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

patch (6.99 KB, patch)
2012-03-14 11:56 PDT, :Gavin Sharp [email:]
bzbarsky: review+
Details | Diff | Splinter Review

Description Ioana (away) 2012-03-02 07:31:48 PST
Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0
Mozilla/5.0 (X11; Linux x86_64; rv:11.0) Gecko/20100101 Firefox/11.0

1. Enter "javascript:1" in the search bar.
2. Select the text from the search bar and drag it to the Home button.

1. Enter "javascript:1" in the location bar.
2. Select the text from the search bar and drag it to the Home button.

1. Select "javascript:1" from this comment and drag it to the Bookmarks button.
2. Click on the Bookmarks button.
3. Select the "javascript:1" bookmark and drag it to the Home button.

Expected Results:
The user cannot set "javascript:1" (or any other "javascript:...") as his Home page by dropping it onto the Home button.

Actual Results:
The confirmation pop-up asking whether the user wants to set "javascript:1" as his Home page or not is displayed. The user can set it without any issues.
Comment 1 :Gavin Sharp [email:] 2012-03-05 19:21:59 PST
This happens because DISALLOW_INHERIT_PRINCIPAL is ignored when checkLoadURI()'s source principal is the system principal (there's an early return in nsScriptSecurityManager::CheckLoadURIWithPrincipal if aPrincipal == mSystemPrincipal).

bz, is there any chance we could change that?
Comment 2 Boris Zbarsky [:bz] (still a bit busy) 2012-03-06 08:17:25 PST
I think so, yes.  Specifically, hoisting the DISALLOW_INHERIT_PRINCIPAL check above the mSystemPrincipal check would make a lot of sense to me.  I would have thought we had an existing bug on that, but I don't see one....
Comment 3 :Gavin Sharp [email:] 2012-03-14 11:56:02 PDT
Created attachment 605884 [details] [diff] [review]
Comment 4 Boris Zbarsky [:bz] (still a bit busy) 2012-03-15 15:25:08 PDT
Comment on attachment 605884 [details] [diff] [review]

It's worth adding to the end of that comment that we want to do this even for the system principal.

Comment 5 :Gavin Sharp [email:] 2012-03-19 18:09:48 PDT
Comment 6 Mounir Lamouri (:mounir) 2012-03-20 03:47:23 PDT

Note You need to log in before you can comment on or make changes to this bug.