Closed Bug 916945 Opened 11 years ago Closed 11 years ago

Stop returning cross-origin subframes for named access on Window

Categories

(Core :: XPConnect, defect)

Product:
Core
Component:
XPConnect
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla27

People

(Reporter: bholley, Assigned: bholley)

Details

Attachments

(2 files)

Stop returning cross-origin subframes for named access in global scope (unless the iframe name matches). v2
4.82 KB, patch
bzbarsky
: review+
Details | Diff | Splinter Review
Tests. v1
3.46 KB, patch
bzbarsky
: review+
Details | Diff | Splinter Review
This is similar to bug 916939, but distinct. The issue is that the browsing context / docshell hierarchy effectively leak window.name cross-origin, even though window.name itself is not available cross-origin. A page can sniff the name of another page by simply embedding that page in a frame and inspecting the named properties object / GSP on the prototype chain of the Window. This is problematic from a number of angles, including the information flow control stuff that deian has been working on. Let's see if the web breaks when we stop supporting it.
This doesn't really depend on bug 916939, but I'm marking it as such because I want to get that landed first before doing this.
Depends on: 916939
No longer depends on: 916939
Actually, I just realized that this is pretty hard to do, given the linkage between window.name and window.frameElement.getAttribute('name'). We could store these as separate values in the cross-origin case, but that would require some trickery. The implications for servo here are kind of crappy, but it might not be worth messing with. Thoughts, Boris?
Flags: needinfo?(bzbarsky)
I'm not sure what issue you're worried about...
Flags: needinfo?(bzbarsky)
Boris and I discussed this on IRC. There are definitely information leaks, but we still may be able to fix the namespace pollution, which is the bigger issue for servo.
I thought of a trick that makes this much more likely to be web-compatible. :-)
Attachment #807395 - Flags: review?(bzbarsky)
Attached patch Tests. v1Splinter Review
Attachment #807396 - Flags: review?(bzbarsky)
Comment on attachment 807395 [details] [diff] [review] Stop returning cross-origin subframes for named access in global scope (unless the iframe name matches). v2 Review of attachment 807395 [details] [diff] [review]: ----------------------------------------------------------------- ::: dom/base/WindowNamedPropertiesHandler.cpp @@ +63,5 @@ > + // computed independently by the parent. > + nsCOMPtr<nsPIDOMWindow> piWin = do_QueryInterface(aChild); > + NS_ENSURE_TRUE(piWin, false); > + nsString frameElementName; > + piWin->GetFrameElementInternal()->GetAttr(kNameSpaceID_None, nsGkAtoms::name, No need to null-check? @@ +64,5 @@ > + nsCOMPtr<nsPIDOMWindow> piWin = do_QueryInterface(aChild); > + NS_ENSURE_TRUE(piWin, false); > + nsString frameElementName; > + piWin->GetFrameElementInternal()->GetAttr(kNameSpaceID_None, nsGkAtoms::name, > + frameElementName); AttrValueIs?
Comment on attachment 807395 [details] [diff] [review] Stop returning cross-origin subframes for named access in global scope (unless the iframe name matches). v2 r=me. Let's hope...
Attachment #807395 - Flags: review?(bzbarsky) → review+
Comment on attachment 807396 [details] [diff] [review] Tests. v1 r=me
Attachment #807396 - Flags: review?(bzbarsky) → review+
Looks green modulo some android reftest weirdness that KWierso doesn't think is related. Pushing: remote: https://hg.mozilla.org/integration/mozilla-inbound/rev/016fa9293f66 remote: https://hg.mozilla.org/integration/mozilla-inbound/rev/eef35ea0291b
https://hg.mozilla.org/mozilla-central/rev/016fa9293f66 https://hg.mozilla.org/mozilla-central/rev/eef35ea0291b
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla27
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: