don't expose the social api to inappropriate origins.

RESOLVED FIXED

Status

()

Firefox
SocialAPI
--
blocker
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: markh, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [qa-])

(Reporter)

Description

5 years ago
If the sidebar window or a service window has a location in a different origin than the social worker, then the mozSocial API (either entirely, or at least getWorker()) should not work from the window.

The risk is that the worker code "trusts" the other side of a port (and indeed can't check the origin of the port even if it wanted to) and thus may give up "secrets" to this other origin.

This should happen regardless of whether the URL being from a different origin is intentional or unintentional.  FWIW, bug 764241 is discussing whether to allow this to happen intentionally, but regardless of the outcome of that discussion, this extra check should be added as a "defense in depth" technique.
same-origin restriction added https://github.com/mozilla/socialapi-dev/commit/31ace0ace39797ff445666832fe1c0c923fabee6

note, somehow another changed to support username in the menu leaked in, though git diff didn't show that before :/
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Is there anything I can do to test this? Does this have any tests?
(Reporter)

Comment 3

5 years ago
Again, this is out-of-date, but we do have tests for the same-origin restrictions we currently impose.
Flagging [qa-] as there's nothing to verify.
Whiteboard: [qa-]
You need to log in before you can comment on or make changes to this bug.