Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Permission policy for codesource == null #117

Closed
hrj opened this issue Jul 17, 2015 · 2 comments
Closed

Permission policy for codesource == null #117

hrj opened this issue Jul 17, 2015 · 2 comments
Labels
need-advice security
Milestone
pre 1.0

Comments

@hrj
Copy link
Member

hrj commented Jul 17, 2015

1. What should be the permission policy for codesource == null

Granting permissions for Properties("*", "read") seems to be enough for now.

2. Why is codesource == null checked?
@hrj hrj added this to the pre 1.0 milestone Jul 17, 2015
@hrj
Copy link
Member Author

hrj commented Jun 19, 2017

The permission problem is evident in this test: https://uprootlabs.github.io/gngrTestCases/test-case/stack-trace/test.html

It fails with this exception:

access: access denied ("java.util.PropertyPermission" "rhino.stack.style" "read")
java.lang.Exception: Stack trace
	at java.lang.Thread.dumpStack(Thread.java:1336)
	at java.security.AccessControlContext.checkPermission(AccessControlContext.java:462)
	at java.security.AccessController.checkPermission(AccessController.java:884)
	at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
	at java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1294)
	at java.lang.System.getProperty(System.java:717)
	at org.mozilla.javascript.RhinoException.<clinit>(RhinoException.java:434)
	at org.mozilla.javascript.Interpreter.interpretLoop(Interpreter.java:1018)
	at org.mozilla.javascript.Interpreter.interpret(Interpreter.java:815)
	at org.mozilla.javascript.InterpretedFunction.call(InterpretedFunction.java:109)
	at org.lobobrowser.html.js.SecurityControllerImpl.lambda$0(SecurityControllerImpl.java:56)
	at java.security.AccessController.doPrivileged(Native Method)
	at org.lobobrowser.html.js.SecurityControllerImpl.callWithDomain(SecurityControllerImpl.java:59)
	at org.mozilla.javascript.Interpreter.interpret(Interpreter.java:802)
	at org.mozilla.javascript.InterpretedFunction.call(InterpretedFunction.java:109)
	at org.mozilla.javascript.ContextFactory.doTopCall(ContextFactory.java:393)
	at org.mozilla.javascript.ScriptRuntime.doTopCall(ScriptRuntime.java:3282)
	at org.mozilla.javascript.InterpretedFunction.call(InterpretedFunction.java:107)
	at org.lobobrowser.html.js.Executor.executeFunction(Executor.java:97)
	at org.lobobrowser.html.js.Executor.executeFunction(Executor.java:69)
	at org.lobobrowser.html.js.Window$7.run(Window.java:1513)
	at org.lobobrowser.html.js.Window$JSRunnableTask.run(Window.java:273)
	at org.lobobrowser.html.js.Window$JSScheduler$1.run(Window.java:374)
	at java.security.AccessController.doPrivileged(Native Method)
	at org.lobobrowser.html.js.Window$JSScheduler.run(Window.java:380)
access: access allowed ("java.security.SecurityPermission" "getPolicy")
access: domain that failed ProtectionDomain  null
 null
 <no principals>
 null

@hrj
Copy link
Member Author

hrj commented Jun 19, 2017

The reason for the denied permission might be this: https://github.com/mozilla/rhino/blob/0ce17ecd3cb466d25f8d68b8f061ad23c77e8712/src/org/mozilla/javascript/SecurityUtilities.java

It returns a null ProtectionDomain when the SecurityManager is not an instance of RhinoSecurityManager.

@hrj hrj closed this as completed in 4cd50c2 Feb 13, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
need-advice security
Projects
None yet
Milestone
pre 1.0
Development

No branches or pull requests
1 participant
@hrj