Closed
Bug 916945
Opened 11 years ago
Closed 11 years ago
Stop returning cross-origin subframes for named access on Window
Categories
(Core :: XPConnect, defect)
Tracking
()
RESOLVED
FIXED
mozilla27
People
(Reporter: bholley, Assigned: bholley)
Details
Attachments
(2 files)
4.82 KB,
patch
|
bzbarsky
:
review+
|
Details | Diff | Splinter Review |
3.46 KB,
patch
|
bzbarsky
:
review+
|
Details | Diff | Splinter Review |
This is similar to bug 916939, but distinct.
The issue is that the browsing context / docshell hierarchy effectively leak window.name cross-origin, even though window.name itself is not available cross-origin. A page can sniff the name of another page by simply embedding that page in a frame and inspecting the named properties object / GSP on the prototype chain of the Window.
This is problematic from a number of angles, including the information flow control stuff that deian has been working on. Let's see if the web breaks when we stop supporting it.
Assignee | ||
Comment 1•11 years ago
|
||
This doesn't really depend on bug 916939, but I'm marking it as such because I want to get that landed first before doing this.
Depends on: 916939
Assignee | ||
Comment 2•11 years ago
|
||
Actually, I just realized that this is pretty hard to do, given the linkage between window.name and window.frameElement.getAttribute('name'). We could store these as separate values in the cross-origin case, but that would require some trickery.
The implications for servo here are kind of crappy, but it might not be worth messing with. Thoughts, Boris?
Flags: needinfo?(bzbarsky)
Assignee | ||
Comment 4•11 years ago
|
||
Boris and I discussed this on IRC. There are definitely information leaks, but we still may be able to fix the namespace pollution, which is the bigger issue for servo.
Assignee | ||
Comment 5•11 years ago
|
||
Assignee | ||
Comment 6•11 years ago
|
||
I thought of a trick that makes this much more likely to be web-compatible. :-)
Attachment #807395 -
Flags: review?(bzbarsky)
Assignee | ||
Comment 7•11 years ago
|
||
Attachment #807396 -
Flags: review?(bzbarsky)
Assignee | ||
Comment 8•11 years ago
|
||
Comment 9•11 years ago
|
||
Comment on attachment 807395 [details] [diff] [review]
Stop returning cross-origin subframes for named access in global scope (unless the iframe name matches). v2
Review of attachment 807395 [details] [diff] [review]:
-----------------------------------------------------------------
::: dom/base/WindowNamedPropertiesHandler.cpp
@@ +63,5 @@
> + // computed independently by the parent.
> + nsCOMPtr<nsPIDOMWindow> piWin = do_QueryInterface(aChild);
> + NS_ENSURE_TRUE(piWin, false);
> + nsString frameElementName;
> + piWin->GetFrameElementInternal()->GetAttr(kNameSpaceID_None, nsGkAtoms::name,
No need to null-check?
@@ +64,5 @@
> + nsCOMPtr<nsPIDOMWindow> piWin = do_QueryInterface(aChild);
> + NS_ENSURE_TRUE(piWin, false);
> + nsString frameElementName;
> + piWin->GetFrameElementInternal()->GetAttr(kNameSpaceID_None, nsGkAtoms::name,
> + frameElementName);
AttrValueIs?
Comment 10•11 years ago
|
||
Comment on attachment 807395 [details] [diff] [review]
Stop returning cross-origin subframes for named access in global scope (unless the iframe name matches). v2
r=me. Let's hope...
Attachment #807395 -
Flags: review?(bzbarsky) → review+
Comment 11•11 years ago
|
||
Comment on attachment 807396 [details] [diff] [review]
Tests. v1
r=me
Attachment #807396 -
Flags: review?(bzbarsky) → review+
Assignee | ||
Comment 12•11 years ago
|
||
Full try push: https://tbpl.mozilla.org/?tree=Try&rev=0461b2964333
Assignee | ||
Comment 13•11 years ago
|
||
Looks green modulo some android reftest weirdness that KWierso doesn't think is related. Pushing:
remote: https://hg.mozilla.org/integration/mozilla-inbound/rev/016fa9293f66
remote: https://hg.mozilla.org/integration/mozilla-inbound/rev/eef35ea0291b
Comment 14•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/016fa9293f66
https://hg.mozilla.org/mozilla-central/rev/eef35ea0291b
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla27
You need to log in
before you can comment on or make changes to this bug.
Description
•