Closed
Bug 1143180
Opened 10 years ago
Closed 7 years ago
Reader mode shouldn't make the result accessible to the page
Categories
(Firefox for iOS :: Reader View, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1127853
People
(Reporter: bnicholson, Unassigned)
References
Details
We currently store the reader parse result in window._firefox_ReaderMode.readabilityResult, meaning the page is able to replace it with its own value. This means pages can do malicious things like prevent the user from going into reader mode, or create their own fake reader mode to trick the user. There's an XSS security issue here since scripts would be running in a separate policy than the page.
Comment 1•10 years ago
|
||
I would like to understand if this really is a concern. What is the actual risk here.
If we think this warrants a redesign of reader mode then I would like to investigate if we can serve the readerized content via the embedded GCDWebServer.
Because that means we can server the page with an Content-Security-Policy header included, which will very effectively block all (inline) script access and other kinds of content access that we may no allow from reader mode.
Updated•10 years ago
|
tracking-fennec: ? → +
Reporter | ||
Comment 2•10 years ago
|
||
Doing a bit of research, I found the Content-Security-Policy HTTP header [1] that could be quite useful here. As of bug 1144511, we're changing about:reader content to be served via localhost. If we can attach the proper header to the data response, I think that should eliminate any XSS security threats.
[1] http://www.ibuildings.com/blog/2013/03/4-http-security-headers-you-should-always-be-using
Reporter | ||
Comment 3•10 years ago
|
||
(In reply to Stefan Arentz [:st3fan] from comment #1)
> Because that means we can server the page with an Content-Security-Policy
> header included, which will very effectively block all (inline) script
> access and other kinds of content access that we may no allow from reader
> mode.
LOL. I need to read comments more.
Updated•9 years ago
|
Assignee: nobody → sarentz
Updated•9 years ago
|
tracking-fxios:
--- → +
Comment 4•9 years ago
|
||
Nominating this for v1.1. Keeping bug 1146596 for v1, which should give us a good security base.
Comment 5•8 years ago
|
||
Although, as mentioned above, this probably isn't an issue anyway: the Readability result is no longer revelaed to the page with the PR for https://bugzilla.mozilla.org/show_bug.cgi?id=1127853
tracking-fennec: - → ---
Updated•7 years ago
|
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•