Here is a quick summary of our audit on GetDisplayHost. ## C++ uses [GetDisplayHostPort call](https://searchfox.org/mozilla-central/rev/7fb746f0be47ce0135af7bca9fffdb5cd1c4b1d5/netwerk/base/nsStandardURL.cpp#1232) should be handled by the bug 1922062 ## JS uses 1\. [PageInfoChild’s getWindowInfo](https://searchfox.org/mozilla-central/rev/7fb746f0be47ce0135af7bca9fffdb5cd1c4b1d5/browser/actors/PageInfoChild.sys.mjs#72) Should be okay 2\. [Add on install (?)](https://searchfox.org/mozilla-central/rev/7fb746f0be47ce0135af7bca9fffdb5cd1c4b1d5/browser/base/content/browser-addons.js#907) * This instance uses displayHost to set an html element’s context and shown to user when an add-on is blocked: [https://searchfox.org/mozilla-central/rev/7fb746f0be47ce0135af7bca9fffdb5cd1c4b1d5/browser/base/content/browser-addons.js\#938,944](https://searchfox.org/mozilla-central/rev/7fb746f0be47ce0135af7bca9fffdb5cd1c4b1d5/browser/base/content/browser-addons.js#938,944) * Probably fine. We can’t install from a file channel with a host. 3\. [URIFixup](https://searchfox.org/mozilla-central/rev/7fb746f0be47ce0135af7bca9fffdb5cd1c4b1d5/browser/base/content/browser.js#1172) * Goes into [notification label](https://searchfox.org/mozilla-central/rev/7fb746f0be47ce0135af7bca9fffdb5cd1c4b1d5/browser/base/content/browser.js#1235) and a [button label](https://searchfox.org/mozilla-central/rev/7fb746f0be47ce0135af7bca9fffdb5cd1c4b1d5/browser/base/content/browser.js#1210): * Triggered by [UrlBarInput’s pickResult](https://searchfox.org/mozilla-central/rev/7fb746f0be47ce0135af7bca9fffdb5cd1c4b1d5/browser/components/urlbar/UrlbarInput.sys.mjs#1015) * Seems fine. 4\. [UrlBarInput maybeUntrimUrl](https://searchfox.org/mozilla-central/rev/7fb746f0be47ce0135af7bca9fffdb5cd1c4b1d5/browser/components/urlbar/UrlbarInput.sys.mjs#3494) uses displayHost to update the selection * Fine because the URL display is using the same displayHost 5\. [UrlbarValueFormatter's getUrlMetaData](https://searchfox.org/mozilla-central/rev/7fb746f0be47ce0135af7bca9fffdb5cd1c4b1d5/browser/components/urlbar/UrlbarValueFormatter.sys.mjs#224) * This compares an `http` scheme. Should be no issue here 6 and 7\. [SmartBlock getAPI](https://searchfox.org/mozilla-central/rev/7fb746f0be47ce0135af7bca9fffdb5cd1c4b1d5/browser/extensions/webcompat/experiment-apis/trackingProtection.js#191) and [another](https://searchfox.org/mozilla-central/rev/7fb746f0be47ce0135af7bca9fffdb5cd1c4b1d5/browser/extensions/webcompat/experiment-apis/trackingProtection.js#207). * Handled by: bug 1936834 8\. [URIFixup](https://searchfox.org/mozilla-central/rev/7fb746f0be47ce0135af7bca9fffdb5cd1c4b1d5/docshell/base/URIFixup.sys.mjs#1048) just checks that it looks like a URI. Should be safe. 9 and 10\. [More tracking protection use](https://searchfox.org/mozilla-central/rev/7fb746f0be47ce0135af7bca9fffdb5cd1c4b1d5/mobile/android/android-components/components/feature/webcompat/src/main/assets/extensions/webcompat/experiment-apis/trackingProtection.js#191) & [here as well](https://searchfox.org/mozilla-central/rev/7fb746f0be47ce0135af7bca9fffdb5cd1c4b1d5/mobile/android/android-components/components/feature/webcompat/src/main/assets/extensions/webcompat/experiment-apis/trackingProtection.js#207) * Android code similar to smartblock above * Handled by: bug 1936834 11\. [Password manager](https://searchfox.org/mozilla-central/rev/7fb746f0be47ce0135af7bca9fffdb5cd1c4b1d5/toolkit/components/passwordmgr/PasswordRulesManager.sys.mjs#54) * Seems like a buggy callsite. Should be using asciiHost or host instead as ETLD service doesn't normalize the domain. * filed bug 1935395 12\. [Add on manager](https://searchfox.org/mozilla-central/rev/7fb746f0be47ce0135af7bca9fffdb5cd1c4b1d5/toolkit/mozapps/extensions/AddonManager.sys.mjs#5258) * could installInfo be triggered by `file` url with hostname? Probably not, this is fine
Bug 1922064 Comment 3 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
A quick summary of our audit on GetDisplayHost: we should be able to proceed with this as the below calls are either low impact or we have opened bugs with the respective component. Details follow: ## C++ uses [GetDisplayHostPort call](https://searchfox.org/mozilla-central/rev/7fb746f0be47ce0135af7bca9fffdb5cd1c4b1d5/netwerk/base/nsStandardURL.cpp#1232) should be handled by the bug 1922062 ## JS uses 1\. [PageInfoChild’s getWindowInfo](https://searchfox.org/mozilla-central/rev/7fb746f0be47ce0135af7bca9fffdb5cd1c4b1d5/browser/actors/PageInfoChild.sys.mjs#72) Should be okay 2\. [Add on install (?)](https://searchfox.org/mozilla-central/rev/7fb746f0be47ce0135af7bca9fffdb5cd1c4b1d5/browser/base/content/browser-addons.js#907) * This instance uses displayHost to set an html element’s context and shown to user when an add-on is blocked: [https://searchfox.org/mozilla-central/rev/7fb746f0be47ce0135af7bca9fffdb5cd1c4b1d5/browser/base/content/browser-addons.js\#938,944](https://searchfox.org/mozilla-central/rev/7fb746f0be47ce0135af7bca9fffdb5cd1c4b1d5/browser/base/content/browser-addons.js#938,944) * Probably fine. We can’t install from a file channel with a host. 3\. [URIFixup](https://searchfox.org/mozilla-central/rev/7fb746f0be47ce0135af7bca9fffdb5cd1c4b1d5/browser/base/content/browser.js#1172) * Goes into [notification label](https://searchfox.org/mozilla-central/rev/7fb746f0be47ce0135af7bca9fffdb5cd1c4b1d5/browser/base/content/browser.js#1235) and a [button label](https://searchfox.org/mozilla-central/rev/7fb746f0be47ce0135af7bca9fffdb5cd1c4b1d5/browser/base/content/browser.js#1210): * Triggered by [UrlBarInput’s pickResult](https://searchfox.org/mozilla-central/rev/7fb746f0be47ce0135af7bca9fffdb5cd1c4b1d5/browser/components/urlbar/UrlbarInput.sys.mjs#1015) * Seems fine. 4\. [UrlBarInput maybeUntrimUrl](https://searchfox.org/mozilla-central/rev/7fb746f0be47ce0135af7bca9fffdb5cd1c4b1d5/browser/components/urlbar/UrlbarInput.sys.mjs#3494) uses displayHost to update the selection * Fine because the URL display is using the same displayHost 5\. [UrlbarValueFormatter's getUrlMetaData](https://searchfox.org/mozilla-central/rev/7fb746f0be47ce0135af7bca9fffdb5cd1c4b1d5/browser/components/urlbar/UrlbarValueFormatter.sys.mjs#224) * This compares an `http` scheme. Should be no issue here 6 and 7\. [SmartBlock getAPI](https://searchfox.org/mozilla-central/rev/7fb746f0be47ce0135af7bca9fffdb5cd1c4b1d5/browser/extensions/webcompat/experiment-apis/trackingProtection.js#191) and [another](https://searchfox.org/mozilla-central/rev/7fb746f0be47ce0135af7bca9fffdb5cd1c4b1d5/browser/extensions/webcompat/experiment-apis/trackingProtection.js#207). * Handled by: bug 1936834 8\. [URIFixup](https://searchfox.org/mozilla-central/rev/7fb746f0be47ce0135af7bca9fffdb5cd1c4b1d5/docshell/base/URIFixup.sys.mjs#1048) just checks that it looks like a URI. Should be safe. 9 and 10\. [More tracking protection use](https://searchfox.org/mozilla-central/rev/7fb746f0be47ce0135af7bca9fffdb5cd1c4b1d5/mobile/android/android-components/components/feature/webcompat/src/main/assets/extensions/webcompat/experiment-apis/trackingProtection.js#191) & [here as well](https://searchfox.org/mozilla-central/rev/7fb746f0be47ce0135af7bca9fffdb5cd1c4b1d5/mobile/android/android-components/components/feature/webcompat/src/main/assets/extensions/webcompat/experiment-apis/trackingProtection.js#207) * Android code similar to smartblock above * Handled by: bug 1936834 11\. [Password manager](https://searchfox.org/mozilla-central/rev/7fb746f0be47ce0135af7bca9fffdb5cd1c4b1d5/toolkit/components/passwordmgr/PasswordRulesManager.sys.mjs#54) * Seems like a buggy callsite. Should be using asciiHost or host instead as ETLD service doesn't normalize the domain. * filed bug 1935395 12\. [Add on manager](https://searchfox.org/mozilla-central/rev/7fb746f0be47ce0135af7bca9fffdb5cd1c4b1d5/toolkit/mozapps/extensions/AddonManager.sys.mjs#5258) * could installInfo be triggered by `file` url with hostname? Probably not, this is fine