Closed
Bug 861302
Opened 12 years ago
Closed 12 years ago
Allow indedexDB to be used from about:home
Categories
(Core :: Storage: IndexedDB, defect)
Core
Storage: IndexedDB
Tracking
()
RESOLVED
FIXED
mozilla23
People
(Reporter: mak, Assigned: mak)
References
Details
Attachments
(1 file, 2 obsolete files)
|
2.50 KB,
patch
|
Details | Diff | Splinter Review |
It's currently not working, we have a patch by Jan Varga that fixes the issue though we need a content developer to evaluate its safety.
|
Assignee | |
Comment 1•12 years ago
|
||
Trying Boris, just by looking at ThirdPartyUtil.cpp hg log
Otherwise I suppose Sicking may review this...
Attachment #736906 -
Flags: review?(bzbarsky)
|
||
Comment 2•12 years ago
|
||
Comment on attachment 736906 [details] [diff] [review]
patch v1.0
What guarantees that aHostURI can't be about:blank from some web page?
|
|
||
Updated•12 years ago
|
Flags: needinfo?(mak77)
|
|
||
Comment 3•12 years ago
|
||
Attachment #736906 -
Flags: review?(bzbarsky)
|
|
Assignee | |
Comment 4•12 years ago
|
||
(In reply to Boris Zbarsky (:bz) from comment #2)
> Comment on attachment 736906 [details] [diff] [review]
> patch v1.0
>
> What guarantees that aHostURI can't be about:blank from some web page?
I'd say nothing, is about:home the only problematic case? I suppose the other about pages are more under our (or add-ons) control.
I can make about:home return NS_ERROR_INVALID_ARG
Flags: needinfo?(mak77)
|
|
Assignee | |
Comment 5•12 years ago
|
||
ehr sorry, I meant about:blank
|
|
||
Comment 6•12 years ago
|
||
Addons can add about: stuff with arbitrary security characteristics, including making them same-origin with random websites.
The real question I had was whether the incoming URI is from a _principal_ or whether it's a document URI. And if it's the latter, why.
|
|
Assignee | |
Comment 7•12 years ago
|
||
So the call comes from nsGlobalWindow::GetIndexedDB, it invokes thirdPartyUtil->IsThirdPartyWindow(this, nullptr, &isThirdParty), so not passing any URI.
This invokes ThirdPartyUtil::GetURIFromWindow, that QI the window to nsIScriptObjectPrincipal, then it invokes GetPrincipal() and from the principal GetURI. The URI is then directly passed to GetBaseDomain.
I skimmed through the getBaseDomain consumers and I didn't see much issues around.
Though, most of the ThirdPartyUtils methods base the result on IsThirdPartyInternal, that compares 2 domains. Since both of them may be acquired through GetBaseDomain, that means it will return false if file:// and about: uris are compared, or even if about: uris with different privileges are compared. I don't know how problematic that may be though, since I don't know much about the security checks that rely on ThirdPartyUtils.
|
|
||
Comment 8•12 years ago
|
||
Comment on attachment 736906 [details] [diff] [review]
patch v1.0
Oh, hmm. Right, this is not just changing the indexeddb code... :(
Can we somehow special-case the about: stuff just for indexeddb, perhaps?
One other thing: this is apparently about: URIs that are _not_ system-principal that we're talking about here?
|
|
Assignee | |
Comment 9•12 years ago
|
||
So far I only need it from about:home, that is content privileged. I can't predict future needs though, but probably we should attack that problem when it arises.
I could hack a bypass in nsGlobalWindow::GetIndexedDB, checking if the URI is for an about page and skipping the isThirdPartyWindow check. Or even providing a whitelist that so far would just be about:home.
But again I admit my ignorance whether that would be safe to do, I suppose the whitelist of URIs that can skip the isThirdPartyWindow check is the safer path?
|
|
Assignee | |
Comment 10•12 years ago
|
||
This is a more restricted patch that just whitelists about:home for indexedDB
Attachment #736906 -
Attachment is obsolete: true
Attachment #739858 -
Flags: review?(bzbarsky)
|
|
||
Comment 11•12 years ago
|
||
Comment on attachment 739858 [details] [diff] [review]
patch v1.1
>+ nsAutoCString spec;
>+ skipThirdPartyCheck = NS_SUCCEEDED(uri->GetSpec(spec)) &&
>+ spec.EqualsLiteral("about:home");
Better (or at least less string-copying) would be:
nsCAutoString path;
skipThirdPartyCheck = NS_SUCCEEDED(uri->GetPath(path)) &&
path.EqualsLiteral("home");
r=me with that
Attachment #739858 -
Flags: review?(bzbarsky) → review+
|
|
||
Comment 12•12 years ago
|
||
Oh, and I agree that this is the safest patch we can do here, and probably the right way to go.
|
|
Assignee | |
Updated•12 years ago
|
Summary: Allow indedexDB to be used from about: pages → Allow indedexDB to be used from about:home
|
|
Assignee | |
Comment 14•12 years ago
|
||
Target Milestone: --- → mozilla23
|
||
Comment 15•12 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•