Closed Bug 1143180 Opened 10 years ago Closed 7 years ago

Reader mode shouldn't make the result accessible to the page

Categories

(Firefox for iOS :: Reader View, defect)

x86
macOS
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 1127853
Tracking Status
fxios - ---
fxios-v1.1 --- ?

People

(Reporter: bnicholson, Unassigned)

References

Details

We currently store the reader parse result in window._firefox_ReaderMode.readabilityResult, meaning the page is able to replace it with its own value. This means pages can do malicious things like prevent the user from going into reader mode, or create their own fake reader mode to trick the user. There's an XSS security issue here since scripts would be running in a separate policy than the page.
I would like to understand if this really is a concern. What is the actual risk here. If we think this warrants a redesign of reader mode then I would like to investigate if we can serve the readerized content via the embedded GCDWebServer. Because that means we can server the page with an Content-Security-Policy header included, which will very effectively block all (inline) script access and other kinds of content access that we may no allow from reader mode.
tracking-fennec: ? → +
No longer depends on: 1144511
Doing a bit of research, I found the Content-Security-Policy HTTP header [1] that could be quite useful here. As of bug 1144511, we're changing about:reader content to be served via localhost. If we can attach the proper header to the data response, I think that should eliminate any XSS security threats. [1] http://www.ibuildings.com/blog/2013/03/4-http-security-headers-you-should-always-be-using
(In reply to Stefan Arentz [:st3fan] from comment #1) > Because that means we can server the page with an Content-Security-Policy > header included, which will very effectively block all (inline) script > access and other kinds of content access that we may no allow from reader > mode. LOL. I need to read comments more.
Assignee: nobody → sarentz
Nominating this for v1.1. Keeping bug 1146596 for v1, which should give us a good security base.
Assignee: sarentz → nobody
tracking-fennec: + → -
Although, as mentioned above, this probably isn't an issue anyway: the Readability result is no longer revelaed to the page with the PR for https://bugzilla.mozilla.org/show_bug.cgi?id=1127853
tracking-fennec: - → ---
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.