Last Comment Bug 764259 - don't expose the social api to inappropriate origins.
: don't expose the social api to inappropriate origins.
Product: Firefox
Classification: Client Software
Component: SocialAPI (show other bugs)
: unspecified
: All All
-- blocker (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
: Shane Caraveo (:mixedpuppy)
Depends on:
  Show dependency treegraph
Reported: 2012-06-12 21:01 PDT by Mark Hammond [:markh]
Modified: 2012-11-26 16:53 PST (History)
2 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Description User image Mark Hammond [:markh] 2012-06-12 21:01:21 PDT
If the sidebar window or a service window has a location in a different origin than the social worker, then the mozSocial API (either entirely, or at least getWorker()) should not work from the window.

The risk is that the worker code "trusts" the other side of a port (and indeed can't check the origin of the port even if it wanted to) and thus may give up "secrets" to this other origin.

This should happen regardless of whether the URL being from a different origin is intentional or unintentional.  FWIW, bug 764241 is discussing whether to allow this to happen intentionally, but regardless of the outcome of that discussion, this extra check should be added as a "defense in depth" technique.
Comment 1 User image Shane Caraveo (:mixedpuppy) 2012-06-27 16:29:54 PDT
same-origin restriction added

note, somehow another changed to support username in the menu leaked in, though git diff didn't show that before :/
Comment 2 User image Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-11-26 15:21:52 PST
Is there anything I can do to test this? Does this have any tests?
Comment 3 User image Mark Hammond [:markh] 2012-11-26 15:50:48 PST
Again, this is out-of-date, but we do have tests for the same-origin restrictions we currently impose.
Comment 4 User image Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-11-26 16:53:24 PST
Flagging [qa-] as there's nothing to verify.

Note You need to log in before you can comment on or make changes to this bug.