If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Don't give all moz-unsafe-about URLs the ability to silently install providers

RESOLVED FIXED

Status

()

Firefox
SocialAPI
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: dveditz, Unassigned)

Tracking

({sec-want})

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

3 years ago
Currently because about:home snippets wanted the ability to install social providers without showing the doorhanger all moz-unsafe-about urls were given that ability. Some about: urls are explicitly designed to display injected content, and even though we usually try to prevent scripts this opens a fairly large attack surface. Add-ons can also install additional about: urls and may be of varying quality.

We can whitelist about:home if necessary, but other moz-unsafe-about urls should not get this power.

[It's fine if chrome-privileged about: pages are allowed to bypass the doorhanger. Being chrome-privileged they could already do that the hard way if they were malicious.]
This as fixed in bug 1014332.
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.