(In reply to Frederik Braun [:freddy] from comment #14) > 1) Do we have a mechanism in place to prevent random websites from opening these error pages with a pop-up, iframe, redirect etc.? If GeckoView fails to load an URI we get a `onLoadError` call with the uri and error. We then evaluate the error depending on which we might return a `resource://errorPageHtml` URI that is then loaded by GeckoView. I would've said that this would allow a website to load an error page in an iframe but I see the iframe being loaded in Firefox desktop while not in Fenix. This might need more investigations but maybe there is already a topLevel check or something similar. > 2) Do we have a mechanism in place to prevent websites from loading the JavaScript files used within error pages (e.g., the highRiskErrorPages.js) with a script element? Tried testing this with a simple jsfiddle and I'm seeing in console `Security Error: Content at https://fiddle.jshell.net/dp6zcy72/show/light/ may not load or link to resource://android/assets/lowMediumErrorPages.js.` `<script> source URI is not allowed in this document: “resource://android/assets/lowMediumErrorPages.js”.` I'm not sure where these messages are coming and based on what checks, they're probably a low lower than the app, maybe Christian would know more about these. But even in the case that a different website loads our .js I'm not sure it could do anything with it. There is no state, no outside communication.
Bug 1659035 Comment 15 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
(In reply to Frederik Braun [:freddy] from comment #14) > 1) Do we have a mechanism in place to prevent random websites from opening these error pages with a pop-up, iframe, redirect etc.? If GeckoView fails to load an URI we get a `onLoadError` call with the uri and error. We then evaluate the error depending on which we might return a `resource://errorPageHtml` URI that is then loaded by GeckoView. I would've said that this would allow a website to load an error page in an iframe but I see the iframe able to load an error page in Firefox desktop while not in Fenix. This might need more investigations but maybe there is already a topLevel check or something similar. (I tested with a simple `<iframe src="https://expired.badssl.com/" width="710" height="1080">`) > 2) Do we have a mechanism in place to prevent websites from loading the JavaScript files used within error pages (e.g., the highRiskErrorPages.js) with a script element? Tried testing this with a simple jsfiddle and I'm seeing in console `Security Error: Content at https://fiddle.jshell.net/dp6zcy72/show/light/ may not load or link to resource://android/assets/lowMediumErrorPages.js.` `<script> source URI is not allowed in this document: “resource://android/assets/lowMediumErrorPages.js”.` I'm not sure where these messages are coming and based on what checks, they're probably a low lower than the app, maybe Christian would know more about these. But even in the case that a different website loads our .js I'm not sure it could do anything with it. There is no state, no outside communication.
(In reply to Frederik Braun [:freddy] from comment #14) Thank you! These are interesting scenarios. I'm afraid I can't do more than help testing. Hoping @csadilek knows better what's happening at lower levels. > 1) Do we have a mechanism in place to prevent random websites from opening these error pages with a pop-up, iframe, redirect etc.? If GeckoView fails to load an URI we get a `onLoadError` call with the uri and error. We then evaluate the error depending on which we might return a `resource://errorPageHtml` URI that is then loaded by GeckoView. I would've said that this would allow a website to load an error page in an iframe but I see the iframe able to load an error page in Firefox desktop while not in Fenix. This might need more investigations but maybe there is already a topLevel check or something similar. (I tested with a simple `<iframe src="https://expired.badssl.com/" width="710" height="1080">`) > 2) Do we have a mechanism in place to prevent websites from loading the JavaScript files used within error pages (e.g., the highRiskErrorPages.js) with a script element? Tried testing this with a simple jsfiddle and I'm seeing in console `Security Error: Content at https://fiddle.jshell.net/dp6zcy72/show/light/ may not load or link to resource://android/assets/lowMediumErrorPages.js.` `<script> source URI is not allowed in this document: “resource://android/assets/lowMediumErrorPages.js”.` I'm not sure where these messages are coming and based on what checks, they're probably a low lower than the app, maybe Christian would know more about these. But even in the case that a different website loads our .js I'm not sure it could do anything with it. There is no state, no outside communication.