On Fri, Sep 29, 2017 at 11:33:08PM -0400, Boris Zbarsky wrote:
On 9/29/17 3:32 PM, Kris Maglione wrote:
For instance, the following should all capture the caller principal
for the `src` URL at call time:
document.write(`<img src="http://example.com/favicon.ico";>`);
div.innerHTML = `<img src="http://example.com/favicon.ico";>`;
img.setAttribute("src", "http://example.com/favicon.ico";);
img.src = "http://example.com/favicon.ico";;
What is the plan to do this, concretely? Changing img.src to thread
through a principal is not too bad but doing it for setAttribute would
be a bit of a performance annoyance, and threading them through the
parser would be _quite_ annoying.
The other option is to basically use something like
SubjectPrincipal(), but we're trying to remove existing uses of that,
because the action-at-a-distance makes it hard to reason about its
security properties.
I still haven't settled on the details, but I it will probably
have to involve capturing the caller principal from SetAttr
hooks. Which would involve either changing that machinery to
pass along a JS context when invoked by a scripted caller, or
using something like SubjectPrincipal(). I'd definitely like to
hear opinions on the best approach here.
The question of how to handler parser-generated nodes is
tougher. Just using SubjectPrincipal() is one obvious approach,
but the security characteristics of that worry me (what if the
parser gets invoked by system code while some JS caller is
blocked?). So I think it will probably require some sort of
special activation records that we can check (and sanity check)
from the attribute hooks. But I've barely begun looking into
this part yet.
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
