Closed Bug 916983 Opened 11 years ago Closed 11 years ago

Stop allowing write access for named access on cross-origin properties

Categories

(Core :: XPConnect, defect)

Product:
Core
Component:
XPConnect
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla27

People

(Reporter: bholley, Assigned: bholley)

References

Details

Attachments

(1 file)

Stop allowing writes for named access to cross-origin properties. v1
4.33 KB, patch
bzbarsky
: review+
Details | Diff | Splinter Review 
A quirk of our implementation currently allows this through. It isn't a security problem because it'll just end up as an expando on the Xray holder, but we should still fix it.
Bug 916939 does this and more. But since we may have to back that out, I want
to get this into the tree first.
Attachment #805671 - Flags: review?(bzbarsky)
Comment on attachment 805671 [details] [diff] [review]
Stop allowing writes for named access to cross-origin properties. v1

Does this still allow cross-origin location.href sets?
Flags: needinfo?(bobbyholley+bmo)
(In reply to Boris Zbarsky [:bz] from comment #3)
> Comment on attachment 805671 [details] [diff] [review]
> Stop allowing writes for named access to cross-origin properties. v1
> 
> Does this still allow cross-origin location.href sets?

Yes. Most of the magic happens in the IsPermitted check. This just causes us to bail for writes before the final IsFrameId check (which goes away entirely in bug 916939).

I would sure hope that comment 1 would be bright orange if cross-origin location.href sets were broken.
Flags: needinfo?(bobbyholley+bmo)
Gabor, how familiar are you with the security wrapper code? Are you comfortable reviewing this patch?
Flags: needinfo?(gkrizsanits)
Comment on attachment 805671 [details] [diff] [review]
Stop allowing writes for named access to cross-origin properties. v1

r=me
Attachment #805671 - Flags: review?(bzbarsky) → review+
Do you still need a review from me? The patch looks good to me at first glance, does exactly what you want, but if you want me to take some more time looking into it just flag me for review. I would like to think I'm familiar enough with this area.
Flags: needinfo?(gkrizsanits)
https://hg.mozilla.org/mozilla-central/rev/7a4b9ce02f96
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla27
No longer blocks: 916939
Blocks: 916939
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: