Closed
Bug 940085
Opened 11 years ago
Closed 10 years ago
It's possible to call some methods on a cross-origin window by using bug 936056
Categories
(Core :: Security, defect)
Tracking
()
RESOLVED
FIXED
mozilla29
Tracking | Status | |
---|---|---|
firefox25 | --- | wontfix |
firefox26 | --- | wontfix |
firefox27 | --- | fixed |
firefox28 | --- | fixed |
firefox-esr17 | --- | unaffected |
firefox-esr24 | --- | fixed |
b2g18 | --- | unaffected |
b2g-v1.1hd | --- | unaffected |
b2g-v1.2 | --- | fixed |
b2g-v1.3 | --- | fixed |
b2g-v1.3T | --- | fixed |
b2g-v1.4 | --- | fixed |
People
(Reporter: moz_bug_r_a4, Assigned: peterv)
References
Details
(Keywords: sec-high, Whiteboard: [fixed by 938640 and 936056: see comment 8])
Attachments
(2 files)
Bug 936056 allows script to get the inner window, and it's possible to call some methods on a cross-origin window by using the inner window. This bug is similar to bug 938640, which affects fx27,28, but this bug affects fx24-28.
Reporter | ||
Comment 1•11 years ago
|
||
Reporter | ||
Comment 2•11 years ago
|
||
Comment 3•11 years ago
|
||
Yeah, this is the same exact thing in bug 938640 except there we manage to invoke these on an inner that's not same-origin with its outer via WebIDL the global computation in WebIDL methods and here we just do it more directly. I would think that the same fix as for bug 938640, appropriately backported, would help here.
Updated•11 years ago
|
status-b2g18:
--- → unaffected
status-firefox25:
--- → wontfix
status-firefox26:
--- → affected
status-firefox27:
--- → affected
status-firefox28:
--- → affected
status-firefox-esr17:
--- → unaffected
status-firefox-esr24:
--- → affected
Comment 4•11 years ago
|
||
Boris explained to me on IRC that this generalizes the attack from bug 938640 so that it's no longer just a regression from webidl quickstubs, but affects anything that bug 936056 affects, because it uses the JIT, rather than bareword references, to operate on a non-current inner.
Depends on: CVE-2014-1481
Comment 5•11 years ago
|
||
Peter is looking at bug 938640, and comment 3 says the fix for this will be the same or at least similar, so I'm going to set him as assigned here.
Assignee: nobody → peterv
Comment 7•10 years ago
|
||
Is this fixed by bug 938640, moz_bug_r_a4? Thanks.
Flags: needinfo?(moz_bug_r_a4)
Reporter | ||
Comment 8•10 years ago
|
||
(In reply to Andrew McCreight [:mccr8] from comment #7) > Is this fixed by bug 938640, moz_bug_r_a4? Thanks. This is fixed by bug 938640 on fx >= 27, but this is fixed by bug 936056 on esr24.
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(moz_bug_r_a4)
Resolution: --- → FIXED
Updated•10 years ago
|
Flags: needinfo?(peterv)
Updated•10 years ago
|
Whiteboard: [fixed by 938640 and 936056: see comment 8]
Updated•10 years ago
|
status-b2g-v1.1hd:
--- → unaffected
status-b2g-v1.2:
--- → fixed
status-b2g-v1.3:
--- → fixed
status-b2g-v1.4:
--- → fixed
Target Milestone: --- → mozilla29
Nominating in-testsuite given this has testcases.
Flags: in-testsuite?
Updated•10 years ago
|
status-b2g-v1.3T:
--- → fixed
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•