Closed Bug 925802 Opened 7 years ago Closed 7 years ago

Nothing enforces that mozAnon is set to true for mozSystem XHRs

Categories

(Core :: DOM: Core & HTML, defect)

defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 927196

People

(Reporter: sicking, Unassigned)

Details

The following call should always fail:

new XMLHttpRequest({ mozSystem: true });

Instead you are supposed to be required to do

new XMLHttpRequest({ mozSystem: true, mozAnon: true });


I.e. setting mozSystem to true should only be allowed when mozAnon is set to true. I don't see that being enforced anywhere in the code. This is a security problem and should block.

The fix is trivial, but we also need tests.

Can we backport a fix to 1.1 still? If not we should take this for 1.2.
Patches happening in bug 927196.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: CVE-2014-1503
blocking-b2g: leo? → ---
Group: core-security → core-security-release
Group: core-security-release
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.