Closed Bug 818167 Opened 12 years ago Closed 11 years ago

Handle IsBrowserElement permissions correctly

Categories

(Core :: DOM: Device Interfaces, defect)

Product:
Core
Component:
DOM: Device Interfaces
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 829030
Project Flags:
blocking-basecamp -

People

(Reporter: gwagner, Unassigned)

Details

Bug 817758 was marked as fixed so I create a new one.

Currently we can't assert on the parent side that a permission was granted to a web page in the browser.

https://hg.mozilla.org/mozilla-central/file/0035f77045bc/dom/ipc/AppProcessPermissions.cpp#l36
I said this on IRC to gwagner, but to say it here: I am not convinced this is important.

In our architecture, we have to trust the browser process when it says "I'm acting on behalf of URL X."  Therefore this backstop parent-side check for "does the browser process have permission P?" boils down to "has the user granted /any website/ permission P?".  This is not a particularly strong security check.
Blocks: 813758
Flags: needinfo?(jonas)
I agree with comment 1.

Ideally I'd like to have an API where we transfer nsIPrincipals to the parent process with any call that we make. Then have an API on the parent side which answers the question "can this process act on the behalf of this principal". If the answer is "no" we kill the child process, if the answer is "yes" we use the principal to do security checks just like we would in the child process.

But this won't meaningfully increase the security from what we have now.
Flags: needinfo?(jonas)
for v.1, should we just grant the browser process geolocation permission?
(In reply to Doug Turner (:dougt) from comment #3)
> for v.1, should we just grant the browser process geolocation permission?

AIUI the parent-process backstop checks are named "*AppProcessPermission*" to indicate that they are only for app processes and not for browser processes.  (The comments in the header do not help clarify this, unfortunately.  I can say that because I reviewed and probably nitted on those comments.)

I would say the solution is not to call AssertAppProcessPermission for browser processes, or to rename and modify the methods so that they always return true for browser processes.
> or to rename and modify the methods so that they always return true for browser processes.

I guess this might be more complicated, because there are some permissions you never want to grant to browser processes.  That logic needs to live somewhere; it either lives in the callers, or we push it down into AssertAppProcessHasPermission.  The former seems sane to me.

Maybe we should add an assertion to AssertAppProcessHasPermission so that we don't use it for browser processes.
blocking-basecamp: --- → ?
sicking, gregor and I do not believe that this blocks 813758.  Because of this, it no longer blocks.
No longer blocks: 813758
blocking-basecamp: ? → -
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.