[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #2874 [Firefox Patch Issues]: Block access to Components.interfaces from content script
#2874: Block access to Components.interfaces from content script
-------------------------------------+-------------------------------------
Reporter: mikeperry | Owner: mikeperry
Type: enhancement | Status: reopened
Priority: normal | Milestone:
Component: Firefox Patch | Version:
Issues | Keywords:
Resolution: | MikePerryIterationFires20110529,
Actual Points: 1 | backport-to-mozilla
Points: 4 | Parent ID:
-------------------------------------+-------------------------------------
Comment (by arthuredelstein):
In [https://bugzilla.mozilla.org/show_bug.cgi?id=790732 Mozilla bug
790732], Components.interfaces was converted to a "lazily-resolved shim".
I was able to confirm that this shim code in ESR31 exactly matches the
Components.interfaces object I observed in my demo in comment:11:
[[Image(Screen%20Shot%202014-08-09%20at%2012.08.15%20AM.png)]]
Moreover, a [https://bugzilla.mozilla.org/show_bug.cgi?id=429070#c37
comment] points out that the fix of 790732 resolved 429070 ("exposing
Components.interfaces to untrusted content leaks information about
installed extensions") because "...we only shim interfaces that expose DOM
constants (see kInterfaceShimMap in nsDOMClassInfo.cpp), which is the same
for everyone."
So assuming that's correct, I think we don't need to port this patch to
ESR31. There is still the question of how to block Components.interfaces
for the ESR24 branch of TB.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/2874#comment:15>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs