Firefox3/QuerySelector Security Review

Overview

This feature allows websites to get a static NodeList containing Element nodes that match a given CSS selector, with the option of only getting Elements that are descendants of a given Node.

Background links

• https://bugzilla.mozilla.org/show_bug.cgi?id=416317
• http://dev.w3.org/2006/webapi/selectors-api/

Security and Privacy

• The code assumes that selector parsing in general can deal with arbitrary byte sequences being input. The main attack point being introduced are a new way to call into selector parsing and matching, and in particular a way to perform selector matching on elements whose current document has no presentation.

Exported APIs

• The code exports the querySelector and querySelectorAll APIs as defined in the specification, except without allowing namespace resolution.

Data

• The code reuses the existing selector-parsing code to parse the selector string, with a minor tweak to allow EOF to correctly terminate the selector.
• The code outputs a thin wrapper implementing nsINodeList around an nsCOMArray containing pointers to the matching Elements.

Reliability and configuration

• There is no user interaction or configuration involved, nor any developer configuration.

Review Comments

• adapt CSS fuzzing code to beat on the new APIs. Be sure to call on random subdocument trees and DOM trees without a docshell such as XHR responses.