On Tue, Jun 16, 2015 at 2:48 PM, Jonas Sicking <[email protected]> wrote:
> On Tue, Jun 16, 2015 at 9:08 AM, Bobby Holley <[email protected]> > wrote: > > Do privileged and certified apps currently have the ability to perform > > universal XSS? Because this would give them that, certainly. > > The Browser API runs content in a separate cookie jar. That means that > the browser API from a security point of view is no more capable than > systemXHR. I.e. it's even less capable than cross-site XHR since it > doesn't use the user's normal cookies. > > I.e. the Browser API is just a systemXHR API plus a really good > implementation of a web rendering engine in JS. > > That effectively means that this is not universal XSS. The browser API > can only be used to XSS things that it itself has rendered. > But that says nothing about multiple consumers of the browser API, right? The origin information gives us one bit that tells us whether we're in a browser element or not. The Browser App uses mozbrowser, and that's where users enter all their sensitive data. With the proposed API, this sensitive data would be vulnerable to XSS from any other app using the browser API. At least on FFOS, it seems like the most useful cookies are inside, rather than outside, the browser cookie jar. One way to solve this would be to switch the inBrowser OriginAttribute from a boolean to a nested origin. That could have other complicating implications though. _______________________________________________ dev-platform mailing list [email protected] https://lists.mozilla.org/listinfo/dev-platform
