Re: Is the security model XBL uses wrong?

[Stuart Ballard]

David Hyatt wrote:
> 
> So now that I think about it, you can't blindly use the CSS file's
> principal.  Maybe a model where you use the *least* privileged of the
> CSS principal and the XBL document's principal?  That way trusted CSS
> pointing to untrusted XBL would result in untrusted XBL, but trusted CSS
> pointing to trusted XBL would result in trusted XBL, even when bound to
> an untrusted document.  (Whew!)

Actually, this wouldn't work either, if the CSSOM can be exploited as
you describe: that way all they have to do is add a binding to your
chrome://foo/usefulFileUtilities.xbl (from the exploit in your first
response) and they have local disk access.

Seems like the only solutions to this one are either:

1) Forbid use of the CSSOM on stylesheets more privileged than you are.
2) Give rules added to stylesheets by CSSOM the security principal of
the script adding them.
3) Forbid linkage to CSS files more privileged than yourself, except as
done implicitly by mozilla (to html.css for example).

I think that the first of these might actually be the simplest...

Stuart.