XOWs shouldn't allow CALL

RESOLVED FIXED in mozilla24

Status

()

RESOLVED FIXED
6 years ago
6 years ago

People

(Reporter: bholley, Assigned: bholley)

Tracking

unspecified
mozilla24
x86
Mac OS X
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Assignee)

Description

6 years ago
It doesn't come up in the web platform, and probably doesn't matter, but I still don't think there's any reason why we should be allowing it. Let's see if anything breaks.
(Assignee)

Comment 2

6 years ago
Created attachment 752003 [details] [diff] [review]
Don't allow CALL on XOWs. v1

Optimistically flagging for review. Feel free to cancel if the try push is
orange and I haven't cancelled it yet myself.
Attachment #752003 - Flags: review?(mrbkap)
Comment on attachment 752003 [details] [diff] [review]
Don't allow CALL on XOWs. v1

Sure. I'd always sort of thought of this as a purely object-caps model (if you get your hands on a function, you have that capability) but calling a DOM constructor cross origin is probably never a good idea.
Attachment #752003 - Flags: review?(mrbkap) → review+

Comment 5

6 years ago
https://hg.mozilla.org/mozilla-central/rev/39cc37f82756
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla24
You need to log in before you can comment on or make changes to this bug.