Closed
Bug 1015314
Opened 10 years ago
Closed 10 years ago
Change threshold for self-xss changes
Categories
(DevTools :: Console, defect)
DevTools
Console
Tracking
(Not tracked)
RESOLVED
FIXED
Firefox 34
People
(Reporter: manishearth, Assigned: manishearth)
References
Details
Attachments
(1 file, 5 obsolete files)
3.37 KB,
patch
|
jwalker
:
review+
|
Details | Diff | Splinter Review |
Bug 994134 has landed now. There were discussions on restricting the change to Release and Beta. Should we go through with this?
Assignee | ||
Comment 1•10 years ago
|
||
Assignee: nobody → manishearth
Status: NEW → ASSIGNED
Comment 2•10 years ago
|
||
I feel like 10 times is too high a bar for this. Can we lower the pref to 3? There are valid reasons to copy and paste text into scratchpads and consoles that this is going to make annoying. thanks!
Comment 3•10 years ago
|
||
(In reply to Rob Campbell [:rc] (:robcee) from comment #2) > I feel like 10 times is too high a bar for this. 10 is what chrome is doing. I could get behind fewer, I agree it will be a bit annoying. IIRC 10 refers to the number of console history items? > Can we lower the pref to 3? There are valid reasons to copy and paste text > into scratchpads and consoles that this is going to make annoying. Totally agree. or 5?
Assignee | ||
Comment 4•10 years ago
|
||
> 10 is what chrome is doing. I could get behind fewer, I agree it will be a > bit annoying. IIRC 10 refers to the number of console history items? Currently, Chrome is doing nothing, they're waiting on a "Developer Mode" feature; opinions are divided on that. The original patch had 10, but it was rolled back later. > Totally agree. or 5? I like 5 too.
Comment 5•10 years ago
|
||
(In reply to Manish Goregaokar [:manishearth] from comment #4) ... > Currently, Chrome is doing nothing, they're waiting on a "Developer Mode" > feature; opinions are divided on that. The original patch had 10, but it was > rolled back later. Ah interesting, hadn't realized that. Still think this is worth doing.
Comment 6•10 years ago
|
||
Chromium bug https://code.google.com/p/chromium/issues/detail?id=345205
Comment 8•10 years ago
|
||
re-commenting about this here: This is ultra annoying specially on an about:blank page … I think the warning might even be OK as it is as long as this is shown only on https websites where eventually there could be a concrete problem. Having this once (or 10 times) on about:blank on Nightly and then never again even in https or secured websites won't benefit anyone resulting instead just annoying and also pointless if security was a concern in real sites. Last, but not least, I really don't think browsers should be responsible for this, 'cause you put yourself in a place where users might even end up blaming you if the code they copied and pasted from a site that told them to also write 'allow pasting' before pasting caused problems to their account. I'd rather follow Safari approach, where developer tools must be enabled explicitly and probably that's the only moment you want to show a warning, letting users agree about the fact they can cause troubles to themselves and the browser or the devtools is not responsible for that. Thanks David for filing the other bug, and thanks for listening Mozillians. Best Regards
Assignee | ||
Comment 9•10 years ago
|
||
Updated the patch to lower the threshhold to 5. I think this has simmered for long enough in Nightly without any bugs (except for the formatting one which I'll get around to), time to push this through.
Attachment #8427862 -
Attachment is obsolete: true
Attachment #8462598 -
Flags: review?(jwalker)
Assignee | ||
Comment 10•10 years ago
|
||
(In reply to Andrea Giammarchi from comment #8) > re-commenting about this here: > > This is ultra annoying specially on an about:blank page … I think the > warning might even be OK as it is as long as this is shown only on https > websites where eventually there could be a concrete problem. I don't see where HTTPS comes in here. Self-XSS is a much easier exploit than MITMing HTTP; especially since self-xss is something that can be designed to propagate itself. MITM is a local attack, unless you control an ISP or something. There *is* a concrete problem already, this has even affected banks in the past. > Having this once (or 10 times) on about:blank on Nightly and then never > again even in https or secured websites won't benefit anyone resulting > instead just annoying and also pointless if security was a concern in real > sites. Agreed, that's why it's being removed from Nightly :) > Last, but not least, I really don't think browsers should be responsible for > this, 'cause you put yourself in a place where users might even end up > blaming you if the code they copied and pasted from a site that told them to > also write 'allow pasting' before pasting caused problems to their account. The warning is clear enough, I would say, especially about the not understanding bit. I don't think that anyone can blame Firefox if they blindly follow instructions even after being presented with that warning. > I'd rather follow Safari approach, where developer tools must be enabled > explicitly and probably that's the only moment you want to show a warning, > letting users agree about the fact they can cause troubles to themselves and > the browser or the devtools is not responsible for that. AFAICT Firefox is not going to go down the "Developer Mode" road (Chrome might), so this is ruled out. Plus, this is a specific warning. "Developer Mode" can at most be a generic warning; less effective against the problem at hand. This is one of the major scams involving devtools (perhaps the only one), so a specific warning makes more sense to me. If someone thinks they are doing developerish things (as most of these scams lead them to think they are doing), they won't be deterred by a generic "only use this if you are a dev" warning for Developer Mode.
Comment 11•10 years ago
|
||
> I don't see where HTTPS comes in here.
you already named banks, there it goes https ... other sites that are not even behind https or that not use CSP headers that mark inline JS not allowed should be OK for the console and no warning needed, IMO
Last, but not least, tell me how many self-xss I can do on about:blank which was my first screenshot :P
In about:blank or in absence of a protocol I'd say this makes no sense anyway, just annoying.
Assignee | ||
Comment 12•10 years ago
|
||
(In reply to Andrea Giammarchi from comment #11) > > I don't see where HTTPS comes in here. > > you already named banks, there it goes https ... other sites that are not > even behind https or that not use CSP headers that mark inline JS not > allowed should be OK for the console and no warning needed, IMO The existence of attacks on sites which use https does not necessarily mean that only https sites need the protection. This exploit existed for Facebook (and was a problem) before HTTPS was rolled out by default. Lack of HTTPS doesn't mean a site doesn't care about security, either. StackExchange was on HTTP for quite a while, due to the sheer complexity of getting everything on HTTPS (it's not as easy as it sounds) > Last, but not least, tell me how many self-xss I can do on about:blank which > was my first screenshot :P > > In about:blank or in absence of a protocol I'd say this makes no sense > anyway, just annoying. That makes sense, but it seems like an edge case. Remember that most devs will never encounter this since it automatically turns off after light usage of the console. It will only occur if you paste stuff into the console before having used it a couple of times. I guess the fix can be made, not sure if we want to riddle the code with handling of about:blank and whatnot.
Comment 13•10 years ago
|
||
(In reply to Andrea Giammarchi from comment #11) > In about:blank or in absence of a protocol I'd say this makes no sense > anyway, just annoying. It has been argued that pages from the browser, which have a more direct route to privilege escalation, are more of a concern than http pages.
Comment 14•10 years ago
|
||
(In reply to Joe Walker [:jwalker] from comment #13) > (In reply to Andrea Giammarchi from comment #11) > > In about:blank or in absence of a protocol I'd say this makes no sense > > anyway, just annoying. > > It has been argued that pages from the browser, which have a more direct > route to privilege escalation, are more of a concern than http pages. Not even a "route to". JS code is already privileged code.
Comment 15•10 years ago
|
||
Comment on attachment 8462598 [details] [diff] [review] Updated patch, threshold lowered to 5 Review of attachment 8462598 [details] [diff] [review]: ----------------------------------------------------------------- Please could you split this patch in 2. One patch moves the settings to branding, and sets all the values to 5. We commit this straight away. Then in a couple of weeks when we know that this hasn't caused problems, commit patch no.2 which takes away the test for nightly/aurora. ::: browser/branding/nightly/pref/firefox-branding.js @@ +30,5 @@ > pref("browser.search.param.yahoo-fr-metro", ""); > #endif > + > +// Number of usages of the web console or scratchpad. > +// If this is less than 10, then pasting code into the web console or scratchpad is disabled s/10/5
Attachment #8462598 -
Flags: review?(jwalker) → review+
Assignee | ||
Comment 16•10 years ago
|
||
Split patch
Attachment #8462598 -
Attachment is obsolete: true
Attachment #8465251 -
Flags: review?(jwalker)
Assignee | ||
Comment 17•10 years ago
|
||
+comment
Attachment #8465251 -
Attachment is obsolete: true
Attachment #8465251 -
Flags: review?(jwalker)
Attachment #8465253 -
Flags: review?(jwalker)
Assignee | ||
Comment 18•10 years ago
|
||
Branding changes, will r? later
Attachment #8465255 -
Flags: feedback?(jwalker)
Updated•10 years ago
|
Attachment #8465255 -
Flags: feedback?(jwalker) → feedback+
Updated•10 years ago
|
Attachment #8465253 -
Flags: review?(jwalker) → review+
Assignee | ||
Comment 19•10 years ago
|
||
Marking as checkin-needed, filing a separate bug for the branding changes so this doesn't get marked as FIXED.
Keywords: checkin-needed
Summary: Restrict self-xss changes to Release/beta channels → Change threshold for self-xss changes
Assignee | ||
Updated•10 years ago
|
Attachment #8465255 -
Attachment is obsolete: true
Comment 20•10 years ago
|
||
Thanks Manish!
Assignee | ||
Comment 22•10 years ago
|
||
Gah, forgot: https://tbpl.mozilla.org/?tree=Try&rev=380203562143 Waiting for it to build.
Assignee | ||
Comment 23•10 years ago
|
||
Forgot to update the test *sheepish grin* Laptop conked out, currently using a lab computer, need someone to try push for me.
Attachment #8465253 -
Attachment is obsolete: true
Attachment #8465957 -
Flags: review?(jwalker)
Assignee | ||
Comment 24•10 years ago
|
||
New trypush, courtesy capella: https://tbpl.mozilla.org/?tree=Try&rev=f243997b128e
Updated•10 years ago
|
Attachment #8465957 -
Flags: review?(jwalker) → review+
Assignee | ||
Comment 25•10 years ago
|
||
Try push: https://treeherder.mozilla.org/ui/#/jobs?repo=try&revision=b1a84e51ecee
Keywords: checkin-needed
Comment 27•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/ef44ee66c51c
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Whiteboard: [fixed-in-fx-team]
Target Milestone: --- → Firefox 34
Updated•6 years ago
|
Product: Firefox → DevTools
You need to log in
before you can comment on or make changes to this bug.
Description
•