Rietveld Code Review Tool
Help | Bug tracker | Discussion group | Source code | Sign in
(26)
Issues Repositories Search
Open Issues | Closed Issues | All Issues | Sign in with your Google Account to create issues and add comments

Issue 9667044: document.body should return null if no documentElement, and have a setter. (Closed)

Can't Edit
Can't Publish+Mail
Start Review
Created:
12 years, 9 months ago by kpreid2
Modified:
12 years, 9 months ago
Reviewers:
ihab.awad
CC:
google-caja-discuss_googlegroups.com
Base URL:
http://google-caja.googlecode.com/svn/trunk/
Visibility:
Public.

Description

Fixes <https://code.google.com/p/google-caja/issues/detail?id=1722>. @r5418

Patch Set 1 #

Total comments: 4
Unified diffs Side-by-side diffs Delta from patch set Stats (+69 lines, -9 lines) Patch
M src/com/google/caja/plugin/domado.js View 1 chunk +54 lines, -8 lines 4 comments Download
M tests/com/google/caja/plugin/es53-test-domado-global.js View 1 chunk +15 lines, -1 line 0 comments Download

Messages

Total messages: 3
kpreid2
12 years, 9 months ago (2013-05-22 19:12:55 UTC) #1
ihab.awad
lgtm https://codereview.appspot.com/9667044/diff/1/src/com/google/caja/plugin/domado.js File src/com/google/caja/plugin/domado.js (right): https://codereview.appspot.com/9667044/diff/1/src/com/google/caja/plugin/domado.js#newcode5755 src/com/google/caja/plugin/domado.js:5755: // TODO(kpreid): should be internal .documentElement getter only ...
12 years, 9 months ago (2013-05-22 20:44:12 UTC) #2
kpreid2
12 years, 9 months ago (2013-05-22 20:53:35 UTC) #3 
https://codereview.appspot.com/9667044/diff/1/src/com/google/caja/plugin/doma...
File src/com/google/caja/plugin/domado.js (right):

https://codereview.appspot.com/9667044/diff/1/src/com/google/caja/plugin/doma...
src/com/google/caja/plugin/domado.js:5755: // TODO(kpreid): should be internal
.documentElement getter only
On 2013/05/22 20:44:12, ihab.awad wrote:
> Not sure what the TODO means....

// guest code
Object.defineProperty(document, 'documentElement', {value: someOtherElement});
document.body; // reads above prop, not Domado's definition of documentElement

This is a non-conformance and a way for the guest to shoot itself in the foot,
but not a strong security problem. There are other cases where something like
this might be actually relevant to Domado invariants, so I think it's worth
eventually having a general solution to the problem and this is a place where it
would be used.

https://codereview.appspot.com/9667044/diff/1/src/com/google/caja/plugin/doma...
src/com/google/caja/plugin/domado.js:5756: var htmlEl = this.documentElement;
On 2013/05/22 20:44:12, ihab.awad wrote:
> I assume this is working on the *tame* side, so htmlEl is in general (pending
> the "take over the frame" refactoring) a <caja-v-html>, and its child with
> nodeName of BODY is a <caja-v-body>, right?

Yes, this is deliberately written to be strictly in terms of the tame view of
the DOM, so that it is irrelevant to integrity-of-the-sandbox analysis.

Hm. It hadn't crossed my mind that such things as .nextSibling are also
potentially overridable by the guest, so in principle there should be a lot more
TODOs like the one above. (Still no security issue, by the previous paragraph's
argument.)
Sign in to reply to this message.

Powered by Google App Engine
RSS Feeds Recent Issues | This issue
This is Rietveld f62528b