Closed
Bug 1082764
Opened 10 years ago
Closed 10 years ago
[e10s] Entering the url to an XPI in the address bar will use the current page's URL as the referrer for security checking the install
Categories
(Toolkit :: Add-ons Manager, defect)
Toolkit
Add-ons Manager
Tracking
()
| Tracking | Status | |
|---|---|---|
| e10s | m6+ | --- |
People
(Reporter: mossop, Assigned: mossop)
References
Details
Attachments
(1 file, 1 obsolete file)
|
5.78 KB,
patch
|
Unfocused
:
review+
|
Details | Diff | Splinter Review |
We do a security check assuming the about: page is attempting to do the load when that isn't the case.
|
Assignee | |
Comment 1•10 years ago
|
||
Morphing this as this is a more general problem. Any time we try to load an XPI URL the current page is used as the referrer even if entered into the url bar directly (shouldn't be a referrer at all in this case) or if loadURI is passed a referrer directly. This causes us to do security checks against the wrong domains.
Summary: [e10s] Entering the url to an XPI in the address bar when on an about: page will not install the add-on → [e10s] Entering the url to an XPI in the address bar will use the current page's URL as the referrer for security checking the install
|
||
Updated•10 years ago
|
|
|
Assignee | |
Updated•10 years ago
|
Assignee: nobody → dtownsend+bugmail
Status: NEW → ASSIGNED
Iteration: --- → 36.2
Points: --- → 3
Flags: qe-verify-
Flags: firefox-backlog+
|
|
Assignee | |
Comment 5•10 years ago
|
||
Using the current page's InstallTrigger to install XPIs detected in the content handler is a mistake. It means we assume the current page is the installer which is false in many cases. Instead just send the install message to the parent process with the correct referrer. This makes the code simpler too!
Attachment #8515254 -
Flags: review?(bmcbride)
|
|
Assignee | |
Comment 6•10 years ago
|
||
Forgot to mention, this patch applies on top of bug 1084558.
|
||
Comment 7•10 years ago
|
||
Comment on attachment 8515254 [details] [diff] [review]
patch
Review of attachment 8515254 [details] [diff] [review]:
-----------------------------------------------------------------
::: toolkit/content/browser-child.js
@@ +198,5 @@
> CrashReporter.annotateCrashReport("URL", uri);
> #endif
> + if (referrer)
> + referrer = Services.io.newURI(referrer, null, null);
> + this._webNavigation.loadURI(uri, flags, referrer, null, null);
Directly related test for this?
Attachment #8515254 -
Flags: review?(bmcbride) → review-
|
|
Assignee | |
Comment 8•10 years ago
|
||
(In reply to Blair McBride [:Unfocused] from comment #7)
> Comment on attachment 8515254 [details] [diff] [review]
> patch
>
> Review of attachment 8515254 [details] [diff] [review]:
> -----------------------------------------------------------------
>
> ::: toolkit/content/browser-child.js
> @@ +198,5 @@
> > CrashReporter.annotateCrashReport("URL", uri);
> > #endif
> > + if (referrer)
> > + referrer = Services.io.newURI(referrer, null, null);
> > + this._webNavigation.loadURI(uri, flags, referrer, null, null);
>
> Directly related test for this?
Splitting out this change as it probably makes sense as a separate issue.
Depends on: 1093221
|
|
Assignee | |
Comment 9•10 years ago
|
||
Same patch but with the RemoteWebNavigation stuff split out.
Attachment #8515254 -
Attachment is obsolete: true
Attachment #8516276 -
Flags: review?(bmcbride)
|
|
||
Updated•10 years ago
|
Attachment #8516276 -
Flags: review?(bmcbride) → review+
|
|
Assignee | |
Comment 10•10 years ago
|
||
|
||
Comment 11•10 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla36
You need to log in
before you can comment on or make changes to this bug.
Description
•