Firefox3/QuerySelector Security Review

From MozillaWiki
Jump to: navigation, search

Overview

This feature allows websites to get a static NodeList containing Element nodes that match a given CSS selector, with the option of only getting Elements that are descendants of a given Node.

Background links

Security and Privacy

  • The code assumes that selector parsing in general can deal with arbitrary byte sequences being input. The main attack point being introduced are a new way to call into selector parsing and matching, and in particular a way to perform selector matching on elements whose current document has no presentation.

Exported APIs

  • The code exports the querySelector and querySelectorAll APIs as defined in the specification, except without allowing namespace resolution.

Data

  • The code reuses the existing selector-parsing code to parse the selector string, with a minor tweak to allow EOF to correctly terminate the selector.
  • The code outputs a thin wrapper implementing nsINodeList around an nsCOMArray containing pointers to the matching Elements.

Reliability and configuration

  • There is no user interaction or configuration involved, nor any developer configuration.

Review Comments

  • adapt CSS fuzzing code to beat on the new APIs. Be sure to call on random subdocument trees and DOM trees without a docshell such as XHR responses.