Adrienne Felt wrote:
> How does this privilege checking work? Where is it being done?
Basically, any script that's running has an object that identifies its origin.
All objects have an associated origin. When an access check is performed, you
compare the origins.
The issues from your point of view:
1) Object origins are tied to the Window object (all objects in a
window have the same origin).
2) Security checks don't happen on all object accesses. In fact,
we're trying to remove as many checks on access as possible.
Right now, you'll get a check when doing a access to an
XPConnect-implemented property (see the CheckAccess calls in
various places in XPConnect), but we want to eliminate those.
There are still security checks on known cross-origin access,
and on all access to objects that can be held across origins
(e.g. Windows), but the current goal is to have very few
security check points, just enough to enforce the "everything
in a window has the same origin" policy. In particular, access
to random JS properties all within a window is NOT security-checked
as things stand.
3) There are various other security checks scattered all over:
see the various nsIScriptSecurityManager and
nsIXPCSecurityManager callsites.
I think Brendan had some ideas based on tainting to make something like your
approach work....
-Boris
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
