The obvious drawback of (3) below is that remote XUL couldn't use the
current installed skin.
dave
Stuart Ballard wrote:
> David Hyatt wrote:
>
>>So now that I think about it, you can't blindly use the CSS file's
>>principal. Maybe a model where you use the *least* privileged of the
>>CSS principal and the XBL document's principal? That way trusted CSS
>>pointing to untrusted XBL would result in untrusted XBL, but trusted CSS
>>pointing to trusted XBL would result in trusted XBL, even when bound to
>>an untrusted document. (Whew!)
>>
>
> Actually, this wouldn't work either, if the CSSOM can be exploited as
> you describe: that way all they have to do is add a binding to your
> chrome://foo/usefulFileUtilities.xbl (from the exploit in your first
> response) and they have local disk access.
>
> Seems like the only solutions to this one are either:
>
> 1) Forbid use of the CSSOM on stylesheets more privileged than you are.
> 2) Give rules added to stylesheets by CSSOM the security principal of
> the script adding them.
> 3) Forbid linkage to CSS files more privileged than yourself, except as
> done implicitly by mozilla (to html.css for example).
>
> I think that the first of these might actually be the simplest...
>
> Stuart.
>
