[Bug 26322] Definitions "algorithm" and "usages" properties of CryptoKey make no sense from bugzilla@jessica.w3.org on 2014-11-08 (public-webcrypto@w3.org from November 2014)

From: <bugzilla@jessica.w3.org>
Date: Sat, 08 Nov 2014 03:33:35 +0000
To: public-webcrypto@w3.org
Message-ID: <bug-26322-7213-YN3tHmQ2Wi@http.www.w3.org/Bugs/Public/>

https://www.w3.org/Bugs/Public/show_bug.cgi?id=26322

--- Comment #34 from Boris Zbarsky <bzbarsky@mit.edu> ---
> I'm definitely concerned here to understand what "security bugs" you see?

In our case, Firefox extensions touching these objects would end up seeing
page-modified values, which is likely to be a problem.

> there is a 'canonical' internal slot that contains the true value

Yes, but the canonical getter doesn't actually return that value, after the
first time it's called.

The security proxies in Gecko that are used by extensions ensure that when
getting a property on a Web IDL object the canonical getter is invoked.  This
guarantees that the correct thing is returned in cases when the getter just
returns the value of an internal slot (as it does with DOM nodes, say).  In the
case of CryptoKey this will mean invoking the canonical getter, which then
returns the value it's cached, which is an array that it's potentially handed
out to untrusted script before and that the untrusted script may have modified.

> and follows all the normal "You can mess with this object in weird
> ways if you're weird" 

You can mess with it in ways in which you can't mess with Web IDL objects,
because the array itself does not have internal state.

> Yes, it means that an object may 'lie' to an user

Yes, and if the "user" is a privileged browser extension that constitutes a
security bug.

> However, an object can be made to lie many ways (Prototypes being the
> canonical way

Our security wrappers ensure that the canonical prototype chain is walked.

> but WebRTC at least is an example of a similar problem

Where, exactly?  I see nothing along these lines in the WebRTC IDL.

> and the sequence situation with CSP(3?) seems similar

You mean CSP 2?  The IDL for that was just proposed; no one implements it yet. 
It's explicitly punting on the arraylike bits for now until they can be sorted
out.

In fact, the only case in which I see something similar in Gecko is the Gamepad
API, but we return frozen arrays there.

In any case, us freezing the array is likely temporary until
https://bugzilla.mozilla.org/show_bug.cgi?id=946906 is fixed.  Just thought
you'd want a heads-up that we plan to do it at least until then...

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Received on Saturday, 8 November 2014 03:33:37 UTC