Closed Bug 1150862 Opened 10 years ago Closed 10 years ago

Make about:reader un-linkable from content

Categories

(Toolkit :: Reader Mode, defect)

Product:
Toolkit
Component:
Reader Mode
Version:
39 Branch
Type:
defect
Priority:
Not set
Severity:
normal
Points:
1

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla40
Iteration:
40.2 - 27 Apr
Tracking Flags:
Tracking Status
firefox37 --- wontfix
firefox38 --- verified
firefox39 --- verified
firefox40 --- verified

People

(Reporter: Margaret, Assigned: Gijs)

References

Details

(Keywords: sec-want, Whiteboard: [adv-main38-])

Attachments

(2 files)

Patch
2.14 KB, patch
Gavin
: review+
Sylvestre
: approval-mozilla-aurora+
Sylvestre
: approval-mozilla-beta+
Details | Diff | Splinter Review
Patch for mobile
1.61 KB, patch
Margaret
: review+
Sylvestre
: approval-mozilla-aurora+
Sylvestre
: approval-mozilla-beta+
Details | Diff | Splinter Review
+++ This bug was initially created as a clone of Bug #1147597 +++ Splitting this off from bug 1147597, since this will involve making changes to our about page code. From bug 1147597 comment 26: (In reply to :Margaret Leibovic from comment #17) > What do I need to do to make this non-linkable? I think we should also to > that to avoid the phishing problems. Remove URI_SAFE_FOR_UNTRUSTED_CONTENT from https://hg.mozilla.org/mozilla-central/annotate/da2f28836843/browser/components/about/AboutRedirector.cpp#l121. Except then you'll run into the issue described in https://hg.mozilla.org/mozilla-central/annotate/da2f28836843/browser/components/about/AboutRedirector.cpp#l27. We should probably fix that, which expands the scope, and probably requires some changes to nsAboutProtocolHandler.cpp's newURI logic and adding another flag to nsIAboutModule. Gijs, would you be interested in taking this?
Flags: needinfo?(gijskruitbosch+bugs)
Gijs beat me to this! I should read bugmail before filing new bugs :)
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(gijskruitbosch+bugs)
Resolution: --- → DUPLICATE
Seems like we can track "add the flag" and "use it" separately.
Status: RESOLVED → REOPENED
Depends on: 1150703
Resolution: DUPLICATE → ---
Attached patch PatchSplinter Review
I'm fine with splitting, though I'll note that the patch here will bitrot if we decide on another name in bug 1150703.
Assignee: nobody → gijskruitbosch+bugs
Status: REOPENED → ASSIGNED
Attachment #8588036 - Flags: review?(gavin.sharp)
Comment on attachment 8588036 [details] [diff] [review] Patch Name seems fine to me!
Attachment #8588036 - Flags: review?(gavin.sharp) → review+
We should also add this for mobile: http://mxr.mozilla.org/mozilla-central/source/mobile/android/components/AboutRedirector.js#62 However, we have a separate JS AboutRedirector implementation, so I'm not sure how this patch should be ported over.
Attached patch Patch for mobileSplinter Review
This should work, I think? Untested because I don't have an android build setup at the minute.
Attachment #8588146 - Flags: review?(margaret.leibovic)
Comment on attachment 8588146 [details] [diff] [review] Patch for mobile Review of attachment 8588146 [details] [diff] [review]: ----------------------------------------------------------------- Tested locally, this works. Thanks! ::: mobile/android/components/AboutRedirector.js @@ +115,2 @@ > > return flags | Ci.nsIAboutModule.ALLOW_SCRIPT; Huh? Does this work properly if flags is undefined?
Attachment #8588146 - Flags: review?(margaret.leibovic) → review+
(In reply to :Margaret Leibovic from comment #7) > ::: mobile/android/components/AboutRedirector.js > @@ +115,2 @@ > > > > return flags | Ci.nsIAboutModule.ALLOW_SCRIPT; > > Huh? Does this work properly if flags is undefined? I wondered this straight after attaching, too. It does, per my tests in the JS console, but I might as well update the patch to set flags to 0 where it's defined so that people reading after us stop wondering. :-)
(In reply to :Gijs Kruitbosch from comment #8) > (In reply to :Margaret Leibovic from comment #7) > > ::: mobile/android/components/AboutRedirector.js > > @@ +115,2 @@ > > > > > > return flags | Ci.nsIAboutModule.ALLOW_SCRIPT; > > > > Huh? Does this work properly if flags is undefined? > > I wondered this straight after attaching, too. It does, per my tests in the > JS console, but I might as well update the patch to set flags to 0 where > it's defined so that people reading after us stop wondering. :-) r+ :)
Does this need to be a hidden security bug? This reads like defense in depth feature work.
(In reply to Al Billings [:abillings] from comment #10) > Does this need to be a hidden security bug? This reads like defense in depth > feature work. Technically there is bug 1147597 comment #3 which explains how the current state of things can be abused.
(ie there is a real, documented way to abuse the fact that this hasn't landed yet - I don't know how that'd sec-rate, and if it that in itself is sec-low we might still want to open this up)
Group: core-security
Keywords: sec-want
Points: --- → 1
Flags: qe-verify+
Flags: firefox-backlog+
Iteration: --- → 40.1 - 13 Apr
Iteration: 40.1 - 13 Apr → 40.2 - 27 Apr
https://hg.mozilla.org/mozilla-central/rev/49ef1a47e042 https://hg.mozilla.org/mozilla-central/rev/37b9fc12d132
Status: ASSIGNED → RESOLVED
Closed: 10 years ago10 years ago
status-firefox40: affectedfixed
Resolution: --- → FIXED
Whiteboard: [fixed-in-fx-team]
Target Milestone: --- → mozilla40
QA Contact: andrei.vaida
Comment on attachment 8588036 [details] [diff] [review] Patch Approval Request Comment [Feature/regressing bug #]: reader mode [User impact if declined]: content pages can link to reader mode which is a Bad Idea (defense in depth) [Describe test coverage new/current, TreeHerder]: nope :-( [Risks and why]: pretty low [String/UUID change made/needed]: no, but needs change from bug 1150703 .
Attachment #8588036 - Flags: approval-mozilla-beta?
Attachment #8588036 - Flags: approval-mozilla-aurora?
Comment on attachment 8588146 [details] [diff] [review] Patch for mobile Approval Request Comment [Feature/regressing bug #]: reader mode [User impact if declined]: content pages can link to reader mode which is a Bad Idea (defense in depth) [Describe test coverage new/current, TreeHerder]: nope :-( [Risks and why]: pretty low [String/UUID change made/needed]: no, but needs change from bug 1150703 .
Attachment #8588146 - Flags: approval-mozilla-beta?
Attachment #8588146 - Flags: approval-mozilla-aurora?
Comment on attachment 8588146 [details] [diff] [review] Patch for mobile Should be in 38 beta 5.
Attachment #8588146 - Flags: approval-mozilla-beta?
Attachment #8588146 - Flags: approval-mozilla-beta+
Attachment #8588146 - Flags: approval-mozilla-aurora?
Attachment #8588146 - Flags: approval-mozilla-aurora+
Attachment #8588036 - Flags: approval-mozilla-beta?
Attachment #8588036 - Flags: approval-mozilla-beta+
Attachment #8588036 - Flags: approval-mozilla-aurora?
Attachment #8588036 - Flags: approval-mozilla-aurora+
Verified fixed on Beta 38.0b5-build1 (20150416143048), Aurora 39.0a2 (2015-04-19) and Nightly 40.0a1 (2015-04-19), using Ubuntu 14.04 (x64). Per my conversation with :gijs, I tried accessing about:reader URLs using a simple testcase consisting of an HTML <a> href attribute and a JavaScript location href property. The links either don't do anything or they throw the following error in the Browser Console, e.g.: > Error: Access to 'about:reader?url=https%3a%2f%2fwww.google.ro%2f%3fgws_rd%3dcr%2cssl%26ei%3dLZw0VdWuM8ebsgH2pIH4BA%23q%3dfirefox' from script denied
Status: RESOLVED → VERIFIED
status-firefox38: fixedverified
status-firefox39: fixedverified
status-firefox40: fixedverified
Whiteboard: [adv-main38-]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: