Closed Bug 1073917 Opened 10 years ago Closed 10 years ago

Don't give all moz-unsafe-about URLs the ability to silently install providers

Categories

(Firefox Graveyard :: SocialAPI, defect)

Product:
Firefox Graveyard
Component:
SocialAPI
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: dveditz, Unassigned)

References

Details

(Keywords: sec-want) 

Currently because about:home snippets wanted the ability to install social providers without showing the doorhanger all moz-unsafe-about urls were given that ability. Some about: urls are explicitly designed to display injected content, and even though we usually try to prevent scripts this opens a fairly large attack surface. Add-ons can also install additional about: urls and may be of varying quality.

We can whitelist about:home if necessary, but other moz-unsafe-about urls should not get this power.

[It's fine if chrome-privileged about: pages are allowed to bypass the doorhanger. Being chrome-privileged they could already do that the hard way if they were malicious.]
This as fixed in bug 1014332.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Product: Firefox → Firefox Graveyard
You need to log in before you can comment on or make changes to this bug.