Closed Bug 764259 Opened 13 years ago Closed 13 years ago

don't expose the social api to inappropriate origins.

Categories

(Firefox Graveyard :: SocialAPI, defect)

Product:
Firefox Graveyard
Component:
SocialAPI
Type:
defect
Priority:
Not set
Severity:
blocker

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: markh, Unassigned)

Details

(Whiteboard: [qa-])

If the sidebar window or a service window has a location in a different origin than the social worker, then the mozSocial API (either entirely, or at least getWorker()) should not work from the window. The risk is that the worker code "trusts" the other side of a port (and indeed can't check the origin of the port even if it wanted to) and thus may give up "secrets" to this other origin. This should happen regardless of whether the URL being from a different origin is intentional or unintentional. FWIW, bug 764241 is discussing whether to allow this to happen intentionally, but regardless of the outcome of that discussion, this extra check should be added as a "defense in depth" technique.
same-origin restriction added https://github.com/mozilla/socialapi-dev/commit/31ace0ace39797ff445666832fe1c0c923fabee6 note, somehow another changed to support username in the menu leaked in, though git diff didn't show that before :/
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Is there anything I can do to test this? Does this have any tests?
Again, this is out-of-date, but we do have tests for the same-origin restrictions we currently impose.
Flagging [qa-] as there's nothing to verify.
Whiteboard: [qa-]
Product: Firefox → Firefox Graveyard
You need to log in before you can comment on or make changes to this bug.