Closed Bug 901538 Opened 11 years ago Closed 6 years ago

Usage of privileged XMLHttpRequest could be downgraded

Categories

(Firefox OS Graveyard :: Gaia::E-Mail, defect)

Product:
Firefox OS Graveyard
Component:
Gaia::E-Mail
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(blocking-b2g:-)

Status:
RESOLVED WONTFIX
Project Flags:
blocking-b2g -

People

(Reporter: freddy, Unassigned)

References

Details

(Keywords: sec-other, wsec-session) 

The app is making use of the XMLHttpRequest object with the mozSystem extension that allows cross-origin requests.

it's probably better to use it only when necessary and make them explicitly anonymous (mozAnon: true).

We are also using it to requests towards the autoconfig and MX resolution bits, which are our own property. I see no reason not to allow CORS for these properties and use non-privileged XHR here.

These codepieces use the privileged XHR: 
./js/ext/mailapi/worker-bootstrap.js:1382
./js/ext/mailapi/worker-bootstrap.js:13994
./js/ext/mailapi/activesync/protocollayer.js:2529 (anon)
./js/ext/mailapi/activesync/protocollayer.js:2747 (anon)
./js/ext/mailapi/activesync/protocollayer.js:2897 (anon)
./js/text.js:4: (non-priv)
./js/tmpl_builder.js:62: (non-priv)
Depends on: 901540
blocking-b2g: --- → koi?
not a blocker for koi.
blocking-b2g: koi? → -
Firefox OS is not being worked on
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.