Last Comment Bug 947831 - Do not set CSP on a document whose principal aliases another other document
: Do not set CSP on a document whose principal aliases another other document
Status: RESOLVED INVALID
[domsecurity-backlog]
:
Product: Core
Classification: Components
Component: DOM: Security (show other bugs)
: Trunk
: x86_64 Linux
-- normal (vote)
: ---
Assigned To: Deian Stefan
:
: Christoph Kerschbaumer [:ckerschb]
Mentors:
Depends on: 965413
Blocks: 943460
  Show dependency treegraph
 
Reported: 2013-12-09 00:16 PST by Deian Stefan
Modified: 2016-04-28 20:23 PDT (History)
6 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments

Description User image Deian Stefan 2013-12-09 00:16:23 PST
Following up on bug 943460 and discussion with bz:
We should not be setting CSP on a document whose principal aliases some other document. Rather than special-casing apps (as in bug 943460), we may need a new API to indicate on a channel that (not only does it have an onwer, but) the principal is shared with some other document and use this avoid setting CSP.
Comment 1 User image Christoph Kerschbaumer [:ckerschb] 2016-03-23 10:40:18 PDT
Paul, what do you think? Can we mark this one as INVALID?
Comment 2 User image Paul Theriault [:pauljt] 2016-03-28 23:49:04 PDT
Yes I think so.
Comment 3 User image Paul Theriault [:pauljt] 2016-03-29 17:31:10 PDT
Actually, Christoph/Henry, does bug 1251152 reintroduce a need for this bug. My guess is 'no' since 1251152 doesn't affect nsDocument.cpp, but I'm not sure.
Comment 4 User image Christoph Kerschbaumer [:ckerschb] 2016-03-29 17:59:04 PDT
(In reply to Paul Theriault [:pauljt] from comment #3)
> Actually, Christoph/Henry, does bug 1251152 reintroduce a need for this bug.
> My guess is 'no' since 1251152 doesn't affect nsDocument.cpp, but I'm not
> sure.

Nope, I am fairly certain this is not the case. about:newtab can be forwarded to an external URL. We would then load that URL like any other website within the browser but enforce additonal security checks on such loads which are initiated by setting additional security flags within the AboutProtocolHandler.

Note You need to log in before you can comment on or make changes to this bug.