NAVIGATION
CATEGORIES
REFERRENCE
LINKS
Protected scripts, trusted windows: the problem
5 answers - 1962 bytes -
Right, so we all know what protected scripts, trusted windows and
trusted objects are [1].
All I want to do here is outline a problem with the model, I haven't
thought about ways to solve it (or whether anyone else will care - they
often don't).
- Everyone loves extensions [2].
- Everyone loves tabs.
- Everyone tries to load everything into a tab.
- Tabs, and the browser view, are (of course) untrusted.
This means you invariably get an (extension's window) untrusted window
loaded with its own code protected. I have been lead to believe that
code loaded 'for' a window automatically has access to its 'owner'
window, or this case would already have fallen over.
The problem is when the window has its own sub-content. Then you get:
+- browser Trusted window + Protected code
+- tab Untrusted window + Protected code
+- sub-content Untrusted window
The code loaded into the tab can't access its own sub-content without
getting attacked by the security manager and XPCNativeWrappers.
Now, the real gotcha here is that the sub-content has been specifically
flagged by the outer window as content it trusts. (What's going on, of
course, is that the browser does NT trust said sub-content.)
I suppose the problem can be thought of in two separate ways:
- The protect code should not be protected, as it is already in an
untrusted place. ( course, not protecting it and at the same time
giving it chrome permissions isn't so nice.)
- The protected code should be allowed access to the sub-content
because it is a child of the code's "own" window and is flagged trusted
in that window.
Would it make sense to have a "trust tree" kinda thing, where the page
in the tab can properly trust itself and its sub-content, but have
neither trusted by the browser?
/discussNo.1 | | 1851 bytes |
| 
James Ross wrote:
- Tabs, and the browser view, are (of course) untrusted.
If the issue is that extensions want to open trusted tabs, then we should
consider fixing that issue I see no reason for the "of course" here.
issue you don't mention but which has been talked about in the past is that
loading trusted content in an untrusted window has some inherent insecurities;
there's been some push to simply disallow that (strip privileges from trusted
content loaded in an untrusted window).
I have been lead to believe that
code loaded 'for' a window automatically has access to its 'owner'
That's correct; this is actually meant as a performance optimization, but in
this case unfortunately affects the behavior. :( Again, the solution, imo, is
to make sure that chrome code is only loaded in a ChromeWindow.
- The protect code should not be protected, as it is already in an
untrusted place. ( course, not protecting it and at the same time
giving it chrome permissions isn't so nice.)
Right. Hence the proposal to strip its chrome permissions
- The protected code should be allowed access to the sub-content
because it is a child of the code's "own" window and is flagged trusted
in that window.
Unfortunately, there is no concept of "trusted in that window". :(
Would it make sense to have a "trust tree" kinda thing, where the page
in the tab can properly trust itself and its sub-content, but have
neither trusted by the browser?
Possibly, but I still think it would be easier to just always load chrome code
in trusted windows and strip privileges when it's loaded in untrusted ones.
-Boris
dev-security mailing list
dev-security (AT) lists (DOT) mozilla.orgNo.2 | | 675 bytes |
| Boris Zbarsky wrote:
James Ross wrote:
>Would it make sense to have a "trust tree" kinda thing, where the page
>in the tab can properly trust itself and its sub-content, but have
>neither trusted by the browser?
Possibly, but I still think it would be easier to just always load
chrome code in trusted windows and strip privileges when it's loaded in
untrusted ones.
If it can be made so that any browser tab with a chrome URI loaded is
not marked as content (or otherwise considered trusted), that might be
enough, but I know perfectly well that the bug relating to that has been
dead for agesNo.3 | | 1111 bytes |
| James Ross wrote:
>Possibly, but I still think it would be easier to just always load
>chrome code in trusted windows and strip privileges when it's loaded
>in untrusted ones.
If it can be made so that any browser tab with a chrome URI loaded is
not marked as content (or otherwise considered trusted)
A tab's content-ness or not is immutable. My point is that there should be a
tabbrowser API to create a "chrome" tab and load stuff in it if people really
want to load chrome in tabs. Then when chatzilla wants to load a chrome URI in
a tab it would use said API -- a new tab would be created, and chatzilla's stuff
loaded in it.
This would mean you wouldn't intermix chrome and non-chrome stuff in session
history for a single tab, but that seems like a feature to me from a security
standpoint.
but I know perfectly well that the bug relating to that has been
dead for ages
Which bug is this?
dev-security mailing list
dev-security (AT) lists (DOT) mozilla.orgNo.4 | | 435 bytes |
| Boris Zbarsky wrote:
James Ross wrote:
>but I know perfectly well that the bug relating to that has been
>dead for ages
Which bug is this?
Bug 286651, specifically comments 3 through 5.
Also, from my point of view, I do *not* want to open anything in a tab
myself, the users' do. That means they will enter a chrome URI and that
is what needs to work in my book.No.5 | | 678 bytes |
| James Ross wrote:
Also, from my point of view, I do *not* want to open anything in a tab
myself, the users' do. That means they will enter a chrome URI and that
is what needs to work in my book.
Imo if a chrome URI is typed in the URL bar, tabbrowser should open a new chrome
tab and load that URI in that tab. Attempts to load any other URI in that tab
should close the tab, create a new tab (content or chrome), and load the URI in
that.
If we do that, we can happily fix bug 286651 without breaking about:config and
so forth.
-Boris
dev-security mailing list
dev-security (AT) lists (DOT) mozilla.org
QUESTION ON "Mozilla"
- XPCOM Componnent in Java and JavaScript
- Indeterminism in MathML layout
- Disabling Xt while building firefox on GTK with DirectFB backend
- Using forms in embedded browser
- node-set()
- Building firefox-1.5.0.3 with GTKDFB
- Where to put automated tests and testing tools
- Dom with Rendering info for HTML pages
- problem of web service js client using WebServiceProxyFactory
- FAC-based custom fields for 2.22?
- BZ 2.18.5 Changing Password with LDAP
- Stopping and disabling scripts on an nsDocument
- Where to put automated tests and testing tools
- automated optical regression tests
- To SSL-client-auth or not to SSL-client-auth,that is the question(?)
- native scrollbars on mac
- Firefox Differentiation
- Possible NAT oddity
- Running code when the JS stack frame is popped
- regression testing