Closed Bug 740481 Opened 12 years ago Closed 12 years ago

You can get around <iframe mozbrowser> window.top/parent/frameElement sandboxing via Components.lookupMethod

Categories

(Firefox OS Graveyard :: General, defect)

defect
Not set
normal

Tracking

(blocking-kilimanjaro:+)

RESOLVED FIXED
blocking-kilimanjaro +

People

(Reporter: justin.lebar+bug, Unassigned)

References

Details

(Keywords: sec-critical, Whiteboard: [sg:critical][no-esr])

Bug 736688 implements window.top/parent/frameElement sandboxing in JS using Object.defineProperty on the window.

But Components.lookupMethod lets you unwrap these methods.

We intend to remove Components.lookupMethod, but I'm not sure what the timeframe is -- it's complicated by the fact that some add-ons rely on it.  If it's not removed soon enough, we can always just disable it on B2G.
Blocks: 736688
Blocks: browser-api
We should absolutely disable it in B2G. There are no addons there (yet), let's start with a clean slate!
Whiteboard: [sg:critical]
The fix here is to nuke Components entirely in web pages (but allow it to keep working for XBL), right?
(In reply to Boris Zbarsky (:bz) from comment #2)
> The fix here is to nuke Components entirely in web pages (but allow it to
> keep working for XBL), right?

For b2g only, right?
In general, I'd hope; b2g can probably do it earlier.
blocking-kilimanjaro: --- → +
This will be fixed by bug 754997.
Depends on: 754997
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Can we please un-protect this bug?
Whiteboard: [sg:critical] → [sg:critical][no-esr]
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.