### Security Approval Request * **How easily could an exploit be constructed based on the patch?**: While the patch itself does not show any code snippet that can be used to construct an exploit, the diff itself inevitably reveals that there is a vulnerability in the handling of the `redirectUrl` part of the webRequest API, and that it relates to the `bypassCORSChecks` member. To exploit the vulnerability, an attacker needs to figure out that they have to control the redirect target. This part is not blatantly obvious from the patch. But anyone who is familiar with these concepts (webRequest extension API, `redirectUrl` and "bypass CORS checks") can put the pieces together and create an exploit themselves. * **Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?**: No * **Which older supported branches are affected by this flaw?**: ESR78 * **If not all supported branches, which bug introduced the flaw?**: bug 1450965 * **Do you have backports for the affected branches?**: No * **If not, how different, hard to create, and risky will they be?**: * **How likely is this patch to cause regressions; how much testing does it need?**: For manual verification of the fix, run the STR from the bug report. To test for regressions, run unit tests. Apply the following test-only patches: - [D80954](https://phabricator.services.mozilla.com/D80954) - verifies that existing functionality continues to work as intended (I still have a pending request for slightly improved test coverage, but it doesn't block the fix from landing). - [D79860](https://phabricator.services.mozilla.com/D79860) - verifies that this security bug has been fixed. - for manual QA: Run the tests from the bug report. ... and run all unit tests that involve this feature: `./mach test toolkit/components/extensions/test/browser/browser_ext_webRequest_redirect_mozextension.js toolkit/components/extensions/test/mochitest/test_ext_redirect_jar.html toolkit/components/extensions/test/mochitest/test_ext_webrequest_basic.html toolkit/components/extensions/test/mochitest/test_ext_webrequest_redirect_bypass_cors.html toolkit/components/extensions/test/mochitest/test_ext_webrequest_redirect_data_uri.html toolkit/components/extensions/test/mochitest/test_ext_webrequest_upgrade.html toolkit/components/extensions/test/xpcshell/test_ext_file_access.js toolkit/components/extensions/test/xpcshell/test_ext_redirects.js toolkit/components/extensions/test/xpcshell/test_ext_webRequest_permission.js` This should provide all coverage that we need.
Bug 1645204 Comment 21 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
### Security Approval Request * **How easily could an exploit be constructed based on the patch?**: While the patch itself does not show any code snippet that can be used to construct an exploit, the diff itself inevitably reveals that there is a vulnerability in the handling of the `redirectUrl` part of the webRequest API, and that it relates to the `bypassCORSChecks` member. To exploit the vulnerability, an attacker needs to figure out that they have to control the redirect target. This part is not blatantly obvious from the patch. But anyone who is familiar with these concepts (webRequest extension API, `redirectUrl` and "bypass CORS checks") can put the pieces together and create an exploit themselves. * **Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?**: No * **Which older supported branches are affected by this flaw?**: ESR78 * **If not all supported branches, which bug introduced the flaw?**: bug 1450965 * **Do you have backports for the affected branches?**: Yes (patch is expectedly to apply cleanly) * **If not, how different, hard to create, and risky will they be?**: * **How likely is this patch to cause regressions; how much testing does it need?**: For manual verification of the fix, run the STR from the bug report. To test for regressions, run unit tests. Apply the following test-only patches: - [D80954](https://phabricator.services.mozilla.com/D80954) - verifies that existing functionality continues to work as intended (I still have a pending request for slightly improved test coverage, but it doesn't block the fix from landing). - [D79860](https://phabricator.services.mozilla.com/D79860) - verifies that this security bug has been fixed. - for manual QA: Run the tests from the bug report. ... and run all unit tests that involve this feature: `./mach test toolkit/components/extensions/test/browser/browser_ext_webRequest_redirect_mozextension.js toolkit/components/extensions/test/mochitest/test_ext_redirect_jar.html toolkit/components/extensions/test/mochitest/test_ext_webrequest_basic.html toolkit/components/extensions/test/mochitest/test_ext_webrequest_redirect_bypass_cors.html toolkit/components/extensions/test/mochitest/test_ext_webrequest_redirect_data_uri.html toolkit/components/extensions/test/mochitest/test_ext_webrequest_upgrade.html toolkit/components/extensions/test/xpcshell/test_ext_file_access.js toolkit/components/extensions/test/xpcshell/test_ext_redirects.js toolkit/components/extensions/test/xpcshell/test_ext_webRequest_permission.js` This should provide all coverage that we need.
### Security Approval Request * **How easily could an exploit be constructed based on the patch?**: While the patch itself does not show any code snippet that can be used to construct an exploit, the diff itself inevitably reveals that there is a vulnerability in the handling of the `redirectUrl` part of the webRequest API, and that it relates to the `bypassCORSChecks` member. To exploit the vulnerability, an attacker needs to figure out that they have to control the redirect target. This part is not blatantly obvious from the patch. But anyone who is familiar with these concepts (webRequest extension API, `redirectUrl` and "bypass CORS checks") can put the pieces together and create an exploit themselves. * **Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?**: No * **Which older supported branches are affected by this flaw?**: ESR78, release, beta * **If not all supported branches, which bug introduced the flaw?**: bug 1450965 * **Do you have backports for the affected branches?**: Yes (patch is expectedly to apply cleanly) * **If not, how different, hard to create, and risky will they be?**: * **How likely is this patch to cause regressions; how much testing does it need?**: For manual verification of the fix, run the STR from the bug report. To test for regressions, run unit tests. Apply the following test-only patches: - [D80954](https://phabricator.services.mozilla.com/D80954) - verifies that existing functionality continues to work as intended (I still have a pending request for slightly improved test coverage, but it doesn't block the fix from landing). - [D79860](https://phabricator.services.mozilla.com/D79860) - verifies that this security bug has been fixed. - for manual QA: Run the tests from the bug report. ... and run all unit tests that involve this feature: `./mach test toolkit/components/extensions/test/browser/browser_ext_webRequest_redirect_mozextension.js toolkit/components/extensions/test/mochitest/test_ext_redirect_jar.html toolkit/components/extensions/test/mochitest/test_ext_webrequest_basic.html toolkit/components/extensions/test/mochitest/test_ext_webrequest_redirect_bypass_cors.html toolkit/components/extensions/test/mochitest/test_ext_webrequest_redirect_data_uri.html toolkit/components/extensions/test/mochitest/test_ext_webrequest_upgrade.html toolkit/components/extensions/test/xpcshell/test_ext_file_access.js toolkit/components/extensions/test/xpcshell/test_ext_redirects.js toolkit/components/extensions/test/xpcshell/test_ext_webRequest_permission.js` This should provide all coverage that we need.
### Security Approval Request * **How easily could an exploit be constructed based on the patch?**: While the patch itself does not show any code snippet that can be used to construct an exploit, the diff itself inevitably reveals that there is a vulnerability in the handling of the `redirectUrl` part of the webRequest API, and that it relates to the `bypassCORSChecks` member. To exploit the vulnerability, an attacker needs to figure out that they have to control the redirect target. This part is not blatantly obvious from the patch. But anyone who is familiar with these concepts (webRequest extension API, `redirectUrl` and "bypass CORS checks") can put the pieces together and create an exploit themselves. * **Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?**: No * **Which older supported branches are affected by this flaw?**: ESR78, release, beta * **If not all supported branches, which bug introduced the flaw?**: bug 1450965 * **Do you have backports for the affected branches?**: Yes (patch is expectedly to apply cleanly) * **If not, how different, hard to create, and risky will they be?**: * **How likely is this patch to cause regressions; how much testing does it need?**: For manual verification of the fix, run the STR from the bug report. To test for regressions, run unit tests. Apply the following test-only patches: - [D80954](https://phabricator.services.mozilla.com/D80954) - verifies that existing functionality continues to work as intended (I still have a pending request for slightly improved test coverage, but it doesn't block the fix from landing). - [D79860](https://phabricator.services.mozilla.com/D79860) - verifies that this security bug has been fixed. ... and run all unit tests that involve this feature: `./mach test toolkit/components/extensions/test/browser/browser_ext_webRequest_redirect_mozextension.js toolkit/components/extensions/test/mochitest/test_ext_redirect_jar.html toolkit/components/extensions/test/mochitest/test_ext_webrequest_basic.html toolkit/components/extensions/test/mochitest/test_ext_webrequest_redirect_bypass_cors.html toolkit/components/extensions/test/mochitest/test_ext_webrequest_redirect_data_uri.html toolkit/components/extensions/test/mochitest/test_ext_webrequest_upgrade.html toolkit/components/extensions/test/xpcshell/test_ext_file_access.js toolkit/components/extensions/test/xpcshell/test_ext_redirects.js toolkit/components/extensions/test/xpcshell/test_ext_webRequest_permission.js` This should provide all coverage that we need.