Closed Bug 868528 Opened 7 years ago Closed 6 years ago
._content is not Xray
When chrome accesses content._content, a content-defined "content" property can be accessed. This is a regression from bug 861530.
What's the security rating here?
Maybe we should just ban chrome from accessing _content...
(In reply to Andrew McCreight [:mccr8] from comment #3) > Maybe we should just ban chrome from accessing _content... Given that _content isn't available in other UAs, I'd presumed that this was primarily a compat hack for addon code. So if we don't care about that, maybe we should just remove support for this stuff entirely.
I don't think we can break all the add-ons -- capped at 1000 hits and doesn't look like I got very far in the list https://mxr.mozilla.org/addons/search?string=._content&find=&findi=&filter=_content\b&hitlimit=&tree=addons CC'ing Jorge to keep an eye on this in case you decide to persue that approach anyway, but I think you'll need to find another fix. In the short term what happens if we back out "sec-audit" bug 861530? Was that fixing a problem more severe than indicated by the security rating?
Yeah, I filed bug 869229 to remove _content, then bholley pointed out it is used all over the place, so I closed it WONTFIX.
I can take this.
Assignee: nobody → bobbyholley+bmo
Actually, it looks like we never supported this over Xrays at all before, so all those addon usages are probably doing it against their own (privileged) windows. As such, I think we can just kill this over Xray. I'll write a patch.
Comment on attachment 746665 [details] [diff] [review] Don't expose _content over Xrays. v1 Review of attachment 746665 [details] [diff] [review]: ----------------------------------------------------------------- Nice! ::: dom/base/nsDOMClassInfo.cpp @@ +5027,5 @@ > *objp = obj; > return NS_OK; > } > > + // NB: By accident, we previously idn't support this over Xrays. This is a idn't --> didn't
Attachment #746665 - Flags: review?(continuation) → review+
Verified as fixed on: Mozilla/5.0 (Windows NT 5.1; rv:23.0) Gecko/20100101 Firefox/23.0 (20130718163513) Mozilla/5.0 (Windows NT 5.1; rv:25.0) Gecko/20130718 Firefox/25.0 (20130718030201)* *On the latest Nightly, I tested with the Browser Console, since that's supposed to replace the Error Console.
You need to log in before you can comment on or make changes to this bug.