Firefox3/QuerySelector Security Review

From MozillaWiki
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Overview

This feature allows websites to get a static NodeList containing Element nodes that match a given CSS selector, with the option of only getting Elements that are descendants of a given Node.

Background links

Security and Privacy

  • The code assumes that selector parsing in general can deal with arbitrary byte sequences being input. The main attack point being introduced are a new way to call into selector parsing and matching, and in particular a way to perform selector matching on elements whose current document has no presentation.

Exported APIs

  • The code exports the querySelector and querySelectorAll APIs as defined in the specification, except without allowing namespace resolution.

Data

  • The code reuses the existing selector-parsing code to parse the selector string, with a minor tweak to allow EOF to correctly terminate the selector.
  • The code outputs a thin wrapper implementing nsINodeList around an nsCOMArray containing pointers to the matching Elements.

Reliability and configuration

  • There is no user interaction or configuration involved, nor any developer configuration.

Review Comments

  • adapt CSS fuzzing code to beat on the new APIs. Be sure to call on random subdocument trees and DOM trees without a docshell such as XHR responses.
Retrieved from "https://wiki.mozilla.org/index.php?title=Firefox3/QuerySelector_Security_Review&oldid=106053"