[Project_owners] Firefox 1.0.3
mook.moz at gmail.com
Wed Apr 6 16:29:33 EDT 2005
On Apr 6, 2005 1:10 PM, Christopher Ottley
<xknight at users.sourceforge.net> wrote:
> Hello all,
> A friend of mine bought the following to my attention. It seems that a
> security fix in FF 1.0.3 may break extensions that rely on accessing a
> web-page's DOM from chrome using direct variable setting and getting.
> This is only my interpretation after reading the blog and the bug
> comments. You may want to get a build and see if 1.0.3 breaks your
> extension. An excerpt of Asa's blog entry is below.
> After further consideration (and investigation,) we have decided that it
> may be necessary to take a rather larger change into 1.0.3 than we had
> planned. We've run into one of those "fix the root cause or patch around
> the symptoms" trade-offs and to prevent future security issues, we're
> leaning towards the "fix the root problem" fix.
> The problem with "the right fix" is that it will probably break a number
> of extensions...
> Project_owners mailing list
> Project_owners at mozdev.org
Actually, the patch was reported to have been backed out - i.e., it
will not be in the "real" 1.0.3. In fact, the CVS check in comment
stated that it would be backed out (they just wanted to know what
things it would break). Since so much broke, I expect them to not
actually go with this any time soon :)
On the other hand, I suppose that the extensions which were broken by
the patch may want to review security considerations to be sure that
they're not making assumptions about objects in content windows. That
is, it might be a good idea to do a quick security review.
See the comment from Dan Veditz on Asa's blog (linked in parent) from
April 6, 2005 12:19 AM.
Wild guess: something like this might show up later though, so we
(extension developers) should probably be prepared for this.
OT: I guess this would be a good opportunity to push for Firefox /
Thunderbird extensions which can be updated via the extension manager.
This is definitely working already (see jslib); we just need to go
use it. I am assuming that putting the update file on
downloads.mozdev.org would be better for the servers?
mook.moz at gmail
More information about the Project_owners