Closed
Bug 1195757
Opened 9 years ago
Closed 9 years ago
[Control Center] about:cache shows "Connection is not secure"
Categories
(Firefox :: General, defect, P1)
Firefox
General
Tracking
()
Tracking | Status | |
---|---|---|
firefox43 | --- | verified |
People
(Reporter: pauly, Assigned: Gijs)
References
Details
(Whiteboard: [fxprivacy])
Attachments
(1 file)
43.0a1 (2015-08-17), Win 7 x64
STR:
Open about:cache
Actual results:
"Connection is not secure"
Expected results:
"This page is stored on your computer" like any other about:about pages
Reporter | ||
Updated•9 years ago
|
Flags: needinfo?(tanvi)
Updated•9 years ago
|
Priority: -- → P3
Whiteboard: [fxprivacy]
Comment 1•9 years ago
|
||
Discussed in triage. From my understanding, there are a couple ways that we determine that this is a local file. One is a whitelist and one is https://dxr.mozilla.org/mozilla-central/source/browser/base/content/browser.js#7136.
Flags: needinfo?(tanvi)
Whiteboard: [fxprivacy] → [fxprivacy] [triage]
Updated•9 years ago
|
Whiteboard: [fxprivacy] [triage] → [fxprivacy]
Comment 2•9 years ago
|
||
Did a quick check and about:cache seems to resolve to about:cache, not sure why that is.
Comment 3•9 years ago
|
||
(In reply to Tim Taubert [:ttaubert] from comment #2)
> Did a quick check and about:cache seems to resolve to about:cache, not sure
> why that is.
about:cache seems to be handled directly in C++ on the platform, so it won't have a file path on disk: https://dxr.mozilla.org/mozilla-central/source/netwerk/protocol/about/nsAboutCache.cpp#76
Assignee | ||
Comment 4•9 years ago
|
||
Bug 1195757 - fix about:cache security state, r?ttaubert
Attachment #8657827 -
Flags: review?(ttaubert)
Assignee | ||
Comment 5•9 years ago
|
||
This is awful code because about:cache also uses about:cache?foo=bar if you mess with the tickboxes etc., and for the about: protocol we actually don't meaningfully separate out the query string, so I hacked something up that is really terrible, please forgive me. :-\
(also, won't work for e.g. view-source:about:cache, maybe? Not sure if we care about that case or not...)
Comment 6•9 years ago
|
||
Comment on attachment 8657827 [details]
MozReview Request: Bug 1195757 - treat about:cache as chrome, make checks on about: pages stricter, catch exceptions from NetUtil.jsm, r?ttaubert
https://reviewboard.mozilla.org/r/18429/#review16557
::: browser/base/content/browser.js:7213
(Diff revision 1)
> + if (this._hardcodedLocalFileURIs.some(localURI => uri.spec.startsWith(localURI))) {
> + return true;
> + }
What do you think about simply checking whether the scheme is still "about" after we resolved the URI? That should only ever be true for internal URIs constructed natively. OTOH, it might be easier to just add it to the existing whitelist of internal pages.
Attachment #8657827 -
Flags: review?(ttaubert)
Assignee | ||
Comment 7•9 years ago
|
||
(In reply to Tim Taubert [:ttaubert] from comment #6)
> Comment on attachment 8657827 [details]
> MozReview Request: Bug 1195757 - fix about:cache security state, r?ttaubert
>
> https://reviewboard.mozilla.org/r/18429/#review16557
>
> ::: browser/base/content/browser.js:7213
> (Diff revision 1)
> > + if (this._hardcodedLocalFileURIs.some(localURI => uri.spec.startsWith(localURI))) {
> > + return true;
> > + }
>
> What do you think about simply checking whether the scheme is still "about"
> after we resolved the URI? That should only ever be true for internal URIs
> constructed natively.
Add-ons could implement such a page and get remote data, right? I don't know to what degree we care about not giving the right information in that case, but I guess I would prefer to err on the side of caution because it's security information.
> OTOH, it might be easier to just add it to the
> existing whitelist of internal pages.
I'll do that.
Assignee | ||
Comment 8•9 years ago
|
||
Comment on attachment 8657827 [details]
MozReview Request: Bug 1195757 - treat about:cache as chrome, make checks on about: pages stricter, catch exceptions from NetUtil.jsm, r?ttaubert
Bug 1195757 - treat about:cache as chrome, make checks on about: pages stricter, catch exceptions from NetUtil.jsm, r?ttaubert
Attachment #8657827 -
Attachment description: MozReview Request: Bug 1195757 - fix about:cache security state, r?ttaubert → MozReview Request: Bug 1195757 - treat about:cache as chrome, make checks on about: pages stricter, catch exceptions from NetUtil.jsm, r?ttaubert
Attachment #8657827 -
Flags: review?(ttaubert)
Assignee | ||
Comment 9•9 years ago
|
||
Filed bug 1203055 about view-source and friends.
Comment 10•9 years ago
|
||
Comment on attachment 8657827 [details]
MozReview Request: Bug 1195757 - treat about:cache as chrome, make checks on about: pages stricter, catch exceptions from NetUtil.jsm, r?ttaubert
https://reviewboard.mozilla.org/r/18429/#review16683
::: browser/base/content/browser.js:6930
(Diff revision 2)
> - let whitelist = /^about:(accounts|addons|app-manager|config|crashes|customizing|downloads|healthreport|home|license|newaddon|permissions|preferences|privatebrowsing|rights|sessionrestore|support|welcomeback)/i;
> - let isChromeUI = uri.schemeIs("about") && whitelist.test(uri.spec);
> + let whitelist = /^(?:accounts|addons|app-manager|cache|config|crashes|customizing|downloads|healthreport|home|license|newaddon|permissions|preferences|privatebrowsing|rights|sessionrestore|support|welcomeback)(?:[?#]|$)/i;
> + let isChromeUI = uri.schemeIs("about") && whitelist.test(uri.path);
Thought about doing that too when I last looked at the code, thanks!
Attachment #8657827 -
Flags: review?(ttaubert) → review+
Assignee | ||
Comment 11•9 years ago
|
||
Oops, this dropped off my radar. :-(
Comment 12•9 years ago
|
||
Keywords: checkin-needed
Comment 13•9 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 43
Updated•9 years ago
|
Iteration: --- → 43.3 - Sep 21
Flags: qe-verify?
Priority: P3 → P1
Updated•9 years ago
|
Flags: qe-verify? → qe-verify+
QA Contact: paul.silaghi
Reporter | ||
Comment 14•9 years ago
|
||
(In reply to Paul Silaghi, QA [:pauly] from comment #0)
> Expected results:
> "This page is stored on your computer" like any other about:about pages
Control Center on about:cache shows now "This is a secure Nightly page", but I guess that's ok due to comment 3.
Verified fixed FF 43.0a1 (2015-09-15) Win 7.
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•