Fixing bug 380418. Prevent XMLHttpRequest from reading HTTPOnly cookies. r+sr=jonas@sicking.cc, a=b2 blocker

2024-09-13 09:24:08 -07:00 · 2008-11-13 18:18:01 -08:00 · 2008-11-13 18:18:01 -08:00 · 3da6f6083b
commit 3da6f6083b
parent 3891561ee3
4 changed files with 81 additions and 4 deletions
--- a/content/base/src/nsXMLHttpRequest.cpp
+++ b/content/base/src/nsXMLHttpRequest.cpp
@ -1560,6 +1560,17 @@ nsXMLHttpRequest::GetResponseHeader(const nsACString& header,
  nsresult rv = NS_OK;
  _retval.Truncate();

+  // See bug #380418. Hide "Set-Cookie" headers from non-chrome scripts.
+  PRBool chrome = PR_FALSE; // default to false in case IsCapabilityEnabled fails
+  IsCapabilityEnabled("UniversalXPConnect", &chrome);
+  if (!chrome &&
+       (header.LowerCaseEqualsASCII("set-cookie") ||
+        header.LowerCaseEqualsASCII("set-cookie2"))) {
+    NS_WARNING("blocked access to response header");
+    _retval.SetIsVoid(PR_TRUE);
+    return NS_OK;
+  }
+
  // Check for dangerous headers
  if (mState & XML_HTTP_REQUEST_USE_XSITE_AC) {
    
@ -3343,10 +3354,19 @@ NS_IMPL_ISUPPORTS1(nsXMLHttpRequest::nsHeaderVisitor, nsIHttpHeaderVisitor)
 NS_IMETHODIMP nsXMLHttpRequest::
 nsHeaderVisitor::VisitHeader(const nsACString &header, const nsACString &value)
 {
-    mHeaders.Append(header);
-    mHeaders.Append(": ");
-    mHeaders.Append(value);
-    mHeaders.Append('\n');
+    // See bug #380418. Hide "Set-Cookie" headers from non-chrome scripts.
+    PRBool chrome = PR_FALSE; // default to false in case IsCapabilityEnabled fails
+    IsCapabilityEnabled("UniversalXPConnect", &chrome);
+    if (!chrome &&
+         (header.LowerCaseEqualsASCII("set-cookie") ||
+          header.LowerCaseEqualsASCII("set-cookie2"))) {
+        NS_WARNING("blocked access to response header");
+    } else {
+        mHeaders.Append(header);
+        mHeaders.Append(": ");
+        mHeaders.Append(value);
+        mHeaders.Append('\n');
+    }
    return NS_OK;
 }

--- a/content/base/test/Makefile.in
+++ b/content/base/test/Makefile.in
@ -258,6 +258,8 @@ _TEST_FILES = 	test_bug5141.html \
 		bug461735-redirect2.sjs \
 		bug461735-post-redirect.js \
 		test_bug461735.html \
+		test_bug380418.html \
+		test_bug380418.html^headers^ \
 		$(NULL)

 # Disabled for now. Mochitest isn't reliable enough for these.
--- a/content/base/test/test_bug380418.html
+++ b/content/base/test/test_bug380418.html
@ -0,0 +1,51 @@
+<!DOCTYPE HTML>
+<html>
+<!-- https://bugzilla.mozilla.org/show_bug.cgi?id=380418 -->
+<head>
+  <title>Test for Bug 380418</title>
+  <script type="text/javascript" src="/MochiKit/MochiKit.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>        
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=380418">Mozilla Bug 380418</a>
+<p id="display"></p>
+<div id="content" style="display: none">
+  
+</div>
+<pre id="test">
+<script class="testbody" type="text/javascript">
+
+	SimpleTest.waitForExplicitFinish();
+	
+	var request = new XMLHttpRequest();
+	request.open("GET", window.location.href, false);
+	request.send(null);
+	
+	// Try reading headers in privileged context
+	netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect UniversalBrowserRead");
+	is(request.getResponseHeader("Set-Cookie"), "test", "Reading Set-Cookie response header in privileged context");
+	is(request.getResponseHeader("Set-Cookie2"), "test2", "Reading Set-Cookie2 response header in privileged context");
+	is(request.getResponseHeader("X-Dummy"), "test", "Reading X-Dummy response header in privileged context");
+	
+	ok(/\bSet-Cookie:/i.test(request.getAllResponseHeaders()), "Looking for Set-Cookie in all response headers in privileged context");
+	ok(/\bSet-Cookie2:/i.test(request.getAllResponseHeaders()), "Looking for Set-Cookie2 in all response headers in privileged context");
+	ok(/\bX-Dummy:/i.test(request.getAllResponseHeaders()), "Looking for X-Dummy in all response headers in privileged context");
+	
+	// Try reading headers in unprivileged context
+	setTimeout(function() {
+	  is(request.getResponseHeader("Set-Cookie"), null, "Reading Set-Cookie response header in unprivileged context");
+	  is(request.getResponseHeader("Set-Cookie2"), null, "Reading Set-Cookie2 response header in unprivileged context");
+	  is(request.getResponseHeader("X-Dummy"), "test", "Reading X-Dummy response header in unprivileged context");
+	  
+	  ok(!/\bSet-Cookie:/i.test(request.getAllResponseHeaders()), "Looking for Set-Cookie in all response headers in unprivileged context");
+	  ok(!/\bSet-Cookie2:/i.test(request.getAllResponseHeaders()), "Looking for Set-Cookie2 in all response headers in unprivileged context");
+	  ok(/\bX-Dummy:/i.test(request.getAllResponseHeaders()), "Looking for X-Dummy in all response headers in unprivileged context");
+	
+	  SimpleTest.finish();
+	}, 0);
+
+</script>
+</pre>
+</body>
+</html>
--- a/content/base/test/test_bug380418.html^headers^
+++ b/content/base/test/test_bug380418.html^headers^
@ -0,0 +1,4 @@
+Set-Cookie: test
+Set-Cookie2: test2
+X-Dummy: test
+Cache-Control: max-age=0