Closed Bug 1002676 Opened 10 years ago Closed 7 years ago

Don't persist user permissions for non-secure origins

Categories

(Core :: Permission Manager, defect)

Product:
Core
Component:
Permission Manager
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: mt, Unassigned)

Details

We should not rely on persistent permissions for non-secure origins.  Nor should we allow non-secure origins to change persistent permissions.

In WebRTC, we've made a choice (in the W3C/IETF, not just Mozilla) to forbid the persistence of user permissions on non-secure origins.  Failure to do so potentially allows a MitM attacker a trivial means of access to security- or privacy-sensitive data.  In WebRTC, this is the camera and microphone.

We definitely want to do this for the geolocation API, but on reviewing the options under the permissions manager, this seems like a good thing to apply more generally.

I understand that this creates a problem for the permissions manager, which persists on a per-domain basis without regard for scheme (or port).  That suggests that there might some supporting work to switch permissions manager to operate on an per-origin basis, before something like this could be done.
Permission manager now operates on a per-origin basis, but I don't think there's really a point to this bug. There are many permissions that are unrelated to powerful web features like WebRTC and breaking all of them on HTTP sites is not viable even in the long term. Furthermore, not all permission entries are "Allow" entries, and WebRTC does support permanently disallowing on HTTP, which would break as well.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.