Firefox3/QuerySelector Security Review
This feature allows websites to get a static NodeList containing Element nodes that match a given CSS selector, with the option of only getting Elements that are descendants of a given Node.
- Background links
Security and Privacy
- The code assumes that selector parsing in general can deal with arbitrary byte sequences being input. The main attack point being introduced are a new way to call into selector parsing and matching, and in particular a way to perform selector matching on elements whose current document has no presentation.
- The code exports the querySelector and querySelectorAll APIs as defined in the specification, except without allowing namespace resolution.
- The code reuses the existing selector-parsing code to parse the selector string, with a minor tweak to allow EOF to correctly terminate the selector.
- The code outputs a thin wrapper implementing nsINodeList around an nsCOMArray containing pointers to the matching Elements.
Reliability and configuration
- There is no user interaction or configuration involved, nor any developer configuration.
- adapt CSS fuzzing code to beat on the new APIs. Be sure to call on random subdocument trees and DOM trees without a docshell such as XHR responses.