Open Bug 810610 Opened 7 years ago Updated 2 years ago

Fix security problems with TabParent::RecvPIndexedDBConstructor

Categories

(Core :: Storage: IndexedDB, defect, P5)

x86
macOS
defect

Tracking

()

People

(Reporter: justin.lebar+bug, Unassigned)

References

Details

We now have two security problems documented in TabParent::RecvPIndexedDBConstructor.

One of them doesn't apply to any configuration we ship, so it's not a big deal.  I don't know about the other one (the XXXbent below).

See TabParent::RecvPIndexedDBConstructor:

  // XXXbent Need to make sure we have a whitelist for chrome databases!

and

  // Verify that the child is requesting to access a database it's allowed to
  // see.  (aASCIIOrigin here specifies a TabContext + a website origin, and
  // we're checking that the TabContext may access it.)
  //
  // We have to check IsBrowserOrApp() because TabContextMayAccessOrigin will
  // fail if we're not a browser-or-app, since aASCIIOrigin will be a plain URI,
  // but TabContextMayAccessOrigin will construct an extended origin using
  // app-id 0.  Note that as written below, we allow a non browser-or-app child
  // to read any database.  That's a security hole, but we don't ship a
  // configuration which creates non browser-or-app children, so it's not a big
  // deal.
(In reply to Justin Lebar [:jlebar] from comment #0)
>   // XXXbent Need to make sure we have a whitelist for chrome databases!

We already took care of this with bug 805354, I just forgot to remove the comment :(
Priority: -- → P5
You need to log in before you can comment on or make changes to this bug.