Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Is there some security issues changed from 3.0.6?

0 views
Skip to first unread message

Bin Sun

unread,
Mar 6, 2009, 10:02:55 PM3/6/09
to l...@mozilla.com, lile...@gmail.com
We have developed a plug-in using NPAPI, it was used for the secure
login of a third-party payment website, but after we update Fx to
3.0.6 or above, it doesn't work anymore when the page is redirected to
other domains.

So I am wondering is there any security issued change about the cross-
domain operations of the NPAPI based plug-ins?

What should I do ? Can I add a white list of domains to certain
domain?

Thanks
Bin

Bin Sun

unread,
Mar 8, 2009, 11:20:37 PM3/8/09
to
On Mar 7, 11:02 am, Bin Sun <b...@mozilla.com> wrote:
No body knows something about this?

Gavin Sharp

unread,
Mar 9, 2009, 4:21:52 AM3/9/09
to Bin Sun, l...@mozilla.com, dev-apps...@lists.mozilla.org, lile...@gmail.com
On Fri, Mar 6, 2009 at 11:02 PM, Bin Sun <bs...@mozilla.com> wrote:
> We have developed a plug-in using NPAPI, it was used for the secure
> login of a third-party payment website, but after we update Fx to
> 3.0.6 or above, it doesn't work anymore when the page is redirected to
> other domains.
>
> So I am wondering is there any security issued change about the cross-
> domain operations of the NPAPI based plug-ins?

If you have a strong suspicion that a change in Firefox is responsible
for breaking your plugin, a good first step is to file a bug in
Bugzilla, and provide as many details as you can. Feel free to CC me
on the bug (gavin.sharp matches me).

Once you've filed a bug, a useful next step would be to try and find a
1-day regression range, using a binary search through nightly builds
from http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/ . The
relevant builds to test are in the "mozilla1.9.0" directories, and the
approximate time range between when 3.0.5 and 3.0.6 were built is
2008-12-02 to 2009-01-20 (I found this by looking at the time stamps
on the "3.0.x-candidates" directories).

Once you've obtained a 1-day regression range, you can search through
bonsai (http://bonsai.mozilla.org/cvsqueryform.cgi) to find a set of
patches that were checked in between those two builds. It's best to
pad the range you obtain a little bit (e.g. expand it by 4 hours on
each side) to account for variations in time between when the source
was checked out and when the build was posted to the FTP server.

You can also take a look through the set of bugs fixed in 3.0.6 to see
whether any of them stand out as possible causes for the issue you're
seeing (or as a guide to help narrow the range of builds you search):
https://bugzilla.mozilla.org/buglist.cgi?keywords_type=anywords&keywords=fixed1.9.0.6+verified1.9.0.6

Gavin

0 new messages