Closed Bug 13192 Opened 25 years ago Closed 23 years ago

Review GetGlobalObject calls

Categories

(Core :: Security, defect, P3)

x86
Windows 95
defect

Tracking

()

VERIFIED FIXED
Future

People

(Reporter: joro, Assigned: security-bugs)

References

()

Details

There is a "feature" in Mozilla 5.0 build 1999090408 (and earlier builds) which does not allow access from scripts to documents in the SAME domain (and directory). I think that this is "oversecured" and is a bug. The code is: (in the domain www.nat.bg) a=window.open("http://www.nat.bg/~joro/mozilla/links.html"); setTimeout("alert(a.document.links[0]);",4000); The script gives the error: JavaScript error: access disallowed from scripts at .... to documents at another domain Demonstration is available at: http://www.nat.bg/~joro/mozilla/oversec.html
Status: NEW → ASSIGNED
This isn't occurring for me with a build I built this morning. Could you retry the next time you get a build?
Target Milestone: M11
Blocks: 12633
Unfortunately I could not verify this with the build from 7 September - it crashes at starting. Shall try with a newer build.
Checked with build 1999090808. The problem persists and gives the same JavaScript error.
It fails for me now. Thanks for retrying.
Whiteboard: help wanted: joki or vidur
Assignee: norris → vidur
Status: ASSIGNED → NEW
Whiteboard: help wanted: joki or vidur
I'll reassign this to you while you work on the document part of the fix.
Assignee: vidur → norris
Checked in the document fix (document was incorrectly being parented by the global object of the calling context, not the containing context). The other places that need to be similarly fixed are included in the list generated by http://lxr.mozilla.org/seamonkey/ident?i=GetGlobalObject.
Status: NEW → ASSIGNED
Target Milestone: M11 → M14
No longer blocks: 12633
We can fix the other places after beta.
Vidur fixed nsHTMLDocument::GetScriptObject
Fixed the use of GetGlobalObjet for the location obejct.
<!--/* Simple script to reproduce in 1999121712: */--> <HTML> <HEAD> <TITLE>Security Test</TITLE> <SCRIPT> function newWin(){ var kWn=open("blank.htm","winName","width=*,height=*"); //Follwing statement does not execute: alert("kWn.document.URL="+kWn.document.URL); }//End newWin(..) </SCRIPT> </HEAD> <BODY> <FORM> <INPUT type="button" value="Test Security" onClick="newWin()"> </FORM> </BODY> </HTML> <!--/* browser.startup.page = 1 startpage = http://127.0.0.1/newWindow/index.htm failed to set the page title. Document http://127.0.0.1/newWindow/index.htm loaded successfully Document: Done (0.66 secs) WEBSHELL+ = 4 JavaScript Error: ReferenceError: Shutdown is not defined nsXULKeyListenerImpl::Init() WEBSHELL+ = 5 Setting content window browser.startup.page = 1 startpage = http://127.0.0.1/newWindow/index.htm JavaScript Error: access disallowed from scripts at [Codebase http://127.0.0.1/n ewWindow/index.htm] to documents at another domain URL: http://127.0.0.1/newWindow/index.htm LineNo: 8 JavaScript Error: uncaught exception: [Exception... "Security error" code: "100 0" nsresult: "0x805303e8 (NS_ERROR_DOM_SECURITY_ERR)" location: "http://127.0.0 .1/newWindow/index.htm Line: 8"] Document http://127.0.0.1/newWindow/blank.htm loaded successfully Document: Done (0.44 secs) */-->
See comments on bug 14916, looks like this bug may be fixed?
Summary: Mozilla is "oversecured" and does not allow access to documents in the same domain → Review GetGlobalObject calls
The test case from bht@actrix.gen.nz no longer fails. The bug is still open pending the review of GetGlobalObject calls. I'm changing the title to reflect that.
Target Milestone: M14 → M15
Push security review tasks off until M16.
Target Milestone: M15 → M16
Bulk moving all Browser Security bugs to new Security: General component. The previous Security component for Browser will be deleted.
Component: Security → Security: General
Target Milestone: M16 → M18
Changing Qa contact to myself.
QA Contact: dshea → junruh
Bulk reassigning most of norris's bugs to mstoltz.
Assignee: norris → mstoltz
Status: ASSIGNED → NEW
Security reviews and denial-of-service attacks. These will be addressed in the post-beta2 timeframe (unless someone's interested in tackling them earlier?)
Status: NEW → ASSIGNED
Assigning QA to czhang
QA Contact: junruh → czhang
Future.
Target Milestone: M18 → Future
QA Contact: czhang → junruh
Mass changing QA to ckritzer.
QA Contact: junruh → ckritzer
> Checked in the document fix (document was incorrectly being parented by the > global object of the calling context, not the containing context). The other > places that need to be similarly fixed are included in > the list generated by http://lxr.mozilla.org/seamonkey/ident?i=GetGlobalObject. Old bug. My guess is that this is no longer a problem, but I wanted to run it by you guys. cc'ing vidur and jst. Are we still using the wrong parent object anywhere?
I didn't look through all the callers of GetGlobalObject, but if there's a problem somewhere I would think that people would be complaining, and I don't see people complaining so I say close this one, unless someone is interested in reviwing all the callers...
I think we're probably OK.
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Verified on build: 2001-09-13-0.9.4 platform: Win NT Following tests passed: 1. http://www.nat.bg/~joro/mozilla/oversec.html For above link, 2 link buttons appears. Link1 opens the about:blank window. This is the correct behavior. Link2 is for opening the about:cache window, which should not be allowed. And the window is not opened as expected. Also, an error is written in the JS console: "The link to about:cache was blocked by the security manager. Remote content may not link to local content." 2. The test script attached also works as expected. An alert dialog is opened as expected.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.