Closed
Bug 1073917
Opened 10 years ago
Closed 10 years ago
Don't give all moz-unsafe-about URLs the ability to silently install providers
Categories
(Firefox Graveyard :: SocialAPI, defect)
Firefox Graveyard
SocialAPI
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: dveditz, Unassigned)
References
Details
(Keywords: sec-want)
Currently because about:home snippets wanted the ability to install social providers without showing the doorhanger all moz-unsafe-about urls were given that ability. Some about: urls are explicitly designed to display injected content, and even though we usually try to prevent scripts this opens a fairly large attack surface. Add-ons can also install additional about: urls and may be of varying quality. We can whitelist about:home if necessary, but other moz-unsafe-about urls should not get this power. [It's fine if chrome-privileged about: pages are allowed to bypass the doorhanger. Being chrome-privileged they could already do that the hard way if they were malicious.]
Comment 1•10 years ago
|
||
This as fixed in bug 1014332.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Updated•5 years ago
|
Product: Firefox → Firefox Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•