Closed Bug 1358652 Opened 7 years ago Closed 7 years ago

xpcshell e10s tests aren't sandboxed

Categories

(Core :: Security: Process Sandboxing, defect, P3)

Product:
Core
Component:
Security: Process Sandboxing
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1257098
Tracking Flags:
Tracking Status
firefox55 --- affected

People

(Reporter: jld, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: sb+) 

When xpcshell tests create content processes, the security.sandbox.content.level pref reads as 0, because it's set in browser/app/profile/firefox.js, which xpcshell doesn't use.  Usually this means the content processes aren't sandboxed.

I think it would make more sense for xpcshell to do the same thing as the browser, here.  I'm not as sure about changing it across the board, because I don't know how much other embeddings do things that would affect the content process's interaction with the sandbox (e.g., if they load frame scripts that do unexpected things).

This may cause regressions.  For example, once I land bug 1358647, there's at least one xpcshell test that will break on Linux when it tries to load httpd.js in a content process and XHR it (in fact, if there's any platform where it *doesn't* break, then that's a deficiency in the sandbox and bugs should be filed).
Whiteboard: sblc5, sbwc3, sbmc3
Sandboxing is now explicitly disabled in bug 1370438.
Blocks: sb-test
Priority: -- → P3
Whiteboard: sblc5, sbwc3, sbmc3 → sb+
This appears to be the same as bug 1257098.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.