Last Comment Bug 764259 - don't expose the social api to inappropriate origins.
: don't expose the social api to inappropriate origins.
Status: RESOLVED FIXED
[qa-]
:
Product: Firefox
Classification: Client Software
Component: SocialAPI (show other bugs)
: unspecified
: All All
: -- blocker (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-06-12 21:01 PDT by Mark Hammond [:markh]
Modified: 2012-11-26 16:53 PST (History)
2 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments

Description Mark Hammond [:markh] 2012-06-12 21:01:21 PDT
If the sidebar window or a service window has a location in a different origin than the social worker, then the mozSocial API (either entirely, or at least getWorker()) should not work from the window.

The risk is that the worker code "trusts" the other side of a port (and indeed can't check the origin of the port even if it wanted to) and thus may give up "secrets" to this other origin.

This should happen regardless of whether the URL being from a different origin is intentional or unintentional.  FWIW, bug 764241 is discussing whether to allow this to happen intentionally, but regardless of the outcome of that discussion, this extra check should be added as a "defense in depth" technique.
Comment 1 Shane Caraveo (:mixedpuppy) 2012-06-27 16:29:54 PDT
same-origin restriction added https://github.com/mozilla/socialapi-dev/commit/31ace0ace39797ff445666832fe1c0c923fabee6

note, somehow another changed to support username in the menu leaked in, though git diff didn't show that before :/
Comment 2 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-11-26 15:21:52 PST
Is there anything I can do to test this? Does this have any tests?
Comment 3 Mark Hammond [:markh] 2012-11-26 15:50:48 PST
Again, this is out-of-date, but we do have tests for the same-origin restrictions we currently impose.
Comment 4 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-11-26 16:53:24 PST
Flagging [qa-] as there's nothing to verify.

Note You need to log in before you can comment on or make changes to this bug.