Closed
Bug 901538
Opened 11 years ago
Closed 6 years ago
Usage of privileged XMLHttpRequest could be downgraded
Categories
(Firefox OS Graveyard :: Gaia::E-Mail, defect)
Firefox OS Graveyard
Gaia::E-Mail
Tracking
(blocking-b2g:-)
RESOLVED
WONTFIX
blocking-b2g | - |
People
(Reporter: freddy, Unassigned)
References
Details
(Keywords: sec-other, wsec-session)
The app is making use of the XMLHttpRequest object with the mozSystem extension that allows cross-origin requests. it's probably better to use it only when necessary and make them explicitly anonymous (mozAnon: true). We are also using it to requests towards the autoconfig and MX resolution bits, which are our own property. I see no reason not to allow CORS for these properties and use non-privileged XHR here. These codepieces use the privileged XHR: ./js/ext/mailapi/worker-bootstrap.js:1382 ./js/ext/mailapi/worker-bootstrap.js:13994 ./js/ext/mailapi/activesync/protocollayer.js:2529 (anon) ./js/ext/mailapi/activesync/protocollayer.js:2747 (anon) ./js/ext/mailapi/activesync/protocollayer.js:2897 (anon) ./js/text.js:4: (non-priv) ./js/tmpl_builder.js:62: (non-priv)
Updated•11 years ago
|
blocking-b2g: --- → koi?
Comment 2•6 years ago
|
||
Firefox OS is not being worked on
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•