embed-apps should be restricted to in-proc apps or we need to fix oop-embed-apps

RESOLVED FIXED in mozilla36

Status

()

Core
DOM
RESOLVED FIXED
4 years ago
3 years ago

People

(Reporter: kanru, Assigned: kanru)

Tracking

(Blocks: 1 bug)

Trunk
mozilla36
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment, 1 obsolete attachment)

(Assignee)

Description

4 years ago
In bug 1044333 we realized that apps managed by an OOP app would use the incorrect AppId, the parent app's AppId, so it would cause privilege escalation.

In the short term we should disallow apps with embed-apps permission to be run OOP.
(Assignee)

Updated

4 years ago
Blocks: 1053107
(Assignee)

Updated

3 years ago
Assignee: nobody → kchen
(Assignee)

Comment 1

3 years ago
Created attachment 8513262 [details] [diff] [review]
Disallow OOP app to embed in-proc apps

https://treeherder.mozilla.org/ui/#/jobs?repo=try&revision=b445bb36bc51

This might break some emulator tests..
Attachment #8513262 - Flags: review?(fabrice)
Comment on attachment 8513262 [details] [diff] [review]
Disallow OOP app to embed in-proc apps

Review of attachment 8513262 [details] [diff] [review]:
-----------------------------------------------------------------

Please ask review once treeherder is happy!
Attachment #8513262 - Flags: review?(fabrice)
(Assignee)

Comment 3

3 years ago
Created attachment 8517381 [details] [diff] [review]
Disallow OOP app to embed in-proc apps

https://treeherder.mozilla.org/ui/#/jobs?repo=try&revision=a74ef8f2086e

Tree is greenish.. failing tests are disabled since they use embed-apps in oop env.
Attachment #8513262 - Attachment is obsolete: true
Attachment #8517381 - Flags: review?(fabrice)
Attachment #8517381 - Flags: review?(fabrice) → review+
https://hg.mozilla.org/mozilla-central/rev/138110eb6437
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla36
(Assignee)

Updated

3 years ago
Blocks: 1097479
No longer blocks: 1097479
You need to log in before you can comment on or make changes to this bug.