Closed Bug 1222924 Opened 9 years ago Closed 7 years ago

Stop exposing the moz-icon URL scheme to the web

Categories

(Core :: Graphics: ImageLib, defect, P3)

Product:
Core
Component:
Graphics: ImageLib
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla59
Tracking Flags:
Tracking Status
firefox59 --- fixed

People

(Reporter: freddy, Assigned: Gijs)

References

(Blocks 1 open bug)

Details

(Keywords: sec-want, Whiteboard: [gfx-noted][fingerprinting][fp:m4][adv-main59-])

Attachments

(1 file)

Bug 1222924 - stop allowing webpages to link to moz-icon: ,
59 bytes, text/x-review-board-request
mrbkap
: review+
Details 
For web compat and reduced security surface, I suggest we stop allowing moz-icon URLs on the web.
Keywords: sec-want
The ftp directory listing uses moz-icon.
Whiteboard: [gfx-noted]
To what degree is this still web-exposed post bug 1173214 ?
(In reply to Bobby Holley (busy) from comment #3)
> I have no idea - do the observations in
> https://blog.mozilla.org/nnethercote/2015/11/05/moz-icon-a-curious-corner-of-
> firefox/ still work?

Yes. http://jsbin.com/fivudigoqe/edit?html,output

I'd forgotten I only changed a subset of moz-icon to be unusable from the web. This helps with the ftp file listing issue described in comment #1.

We could work around that somehow, though I'm not sure offhand exactly how we would... In principle the file listing page itself is just a page "like any other". We could display the same set of icons as before and pass the data some other way, but if we use blob URIs or data URIs to accomplish this somehow, it seems we'd be likely to give a same-origin web page access to the actual image data, which would be worse than the status quo.

Looking at it the other way, we could start treating such directory listings as "different" and make them non-same-origin with other things using the same protocol, but that likewise makes me uneasy - it feels like just shifting the problem around, and it might break existing users, maybe?

A third solution would be accepting the loss of icons and just using generic file/folder icons (or potentially shipping icons for a particular set of files and hardcoding those).

Finally, of course, we could decide to do nothing...

It feels to me like I'm missing a more trivial solution. Thoughts, Bobby?
Flags: needinfo?(bobbyholley)
I guess as another option, we could make moz-icon inaccessible from ftp but not from file: or chrome:, which would only break the icons on ftp, which I'm less bothered about than file: or chrome: (though I'm not sure how bothered I am even about those, I think other people will feel differently).
(In reply to :Gijs Kruitbosch from comment #5)
> I guess as another option, we could make moz-icon inaccessible from ftp but
> not from file: or chrome:, which would only break the icons on ftp, which
> I'm less bothered about than file: or chrome: (though I'm not sure how
> bothered I am even about those, I think other people will feel differently).

Yes, this is what I was going to propose - making it file://, resource://, and chrome:// only, which seems like good bang for our buck. Boris, do you think that would be acceptable?
Flags: needinfo?(bobbyholley) → needinfo?(bzbarsky)
I guess I can live with that, yeah.
Flags: needinfo?(bzbarsky)
Mildly sad as a user at the loss of icons in ftp, which I still do in fact use periodically.  I guess ftp directory listings are considered remote web pages, which explains why NoScript breaks sorting on them.  But, oh well, I understand it is yet another protocol fading just as fast as gopher.

One question though.  Firefox *does* support sftp:// and rather nicely too.  sftp I would think is used a bit more by devs.

Firefox sftp:// also suffers from the NoScript blocking of sorting (although presumably if you can sftp to a site you trust it to run scripts in documents) which makes me think that maybe moz-icon would end up being broken there too?

Would you consider adding that protocol to your whitelist?  I mean, you're going to auth anyway to an sftp site.
Shame, a few years ago when icon: was being drafted I opened Bug 599904 to track it because I thought it would be *really* useful. There is still a benefit —imo— for being able to show the user an icon they would recognise for a file type.
Whiteboard: [gfx-noted] → [gfx-noted][fingerprinting]
Whiteboard: [gfx-noted][fingerprinting] → [gfx-noted][fingerprinting][fp:m3]
Assignee: nobody → tihuang
Arthur, we would like to remove this bug from our MVP.
Do you agree? Did the Tor Browser have a fix for this?
Flags: needinfo?(arthuredelstein)
We don't yet have a fix for this, unfortunately. But it's a good reminder and I can work on it soon. I opened a tor ticket: https://trac.torproject.org/projects/tor/ticket/23424
Flags: needinfo?(arthuredelstein)
Whiteboard: [gfx-noted][fingerprinting][fp:m3] → [gfx-noted][fingerprinting][fp:m4]
Attachment #8931126 - Flags: review?(mrbkap)
I was reminded of this bug by bug 1419811 and bug 1419780, so I figured I'd give it a go.

I thought that really, all we needed was the right URI flags on nsMozIconProtocolHandler, but it turns out it already had URI_UI_RESOURCE . file: things can't link to that, and probably shouldn't be able to, but there's a special case in https://dxr.mozilla.org/mozilla-central/rev/72ee4800d4156931c89b58bd807af4a3083702bb/caps/nsScriptSecurityManager.cpp#840-844 that makes an exception for moz-icon and allows anything to load it (Note: only applies to the non-nested version, so moz-icon://.ext, not moz-icon://file:///path/to/file.ext).

So instead, I removed that exception, and added a more explicit and specific exception further up, limited to file: principals.

Alternatively, I *think* we could switch moz-icon to URI_IS_LOCAL_FILE, but it seems we have a bunch of checks elsewhere in the codebase that implicitly assume that that === file: URIs, plus it feels like a security "downgrade" from UI_RESOURCE, so I was hesitant about going in that direction. On the plus side, less specialcasing in nsScriptSecurityManager... :-\
Note that all this is fixing comment #0, but I don't know if it would help against TOR-relevant user/machine fingerprinting for the presence of a moz-icon handler (which currently throws a security error). That is, I haven't checked if it's possible to detect that vs. not having a handler for the protocol at all.
Comment on attachment 8931126 [details]
Bug 1222924 - stop allowing webpages to link to moz-icon: ,

https://reviewboard.mozilla.org/r/202202/#review209582

Sorry about the delay getting to this. This looks good to me.
Attachment #8931126 - Flags: review?(mrbkap) → review+
https://treeherder.mozilla.org/#/jobs?repo=try&revision=ec10a8c90069f858e3f274f4967a1102814209e5
Assignee: tihuang → gijskruitbosch+bugs
Status: NEW → ASSIGNED
Looks like I need to update dom/security/test/mixedcontentblocker/test_bug803225.html to remove the moz-icon tests, as after this patch https: can no longer load moz-icon links anyway, so it's not relevant for mixed-content blocking.
Also looks like this'll break image/test/reftest/downscaling/downscale-moz-icon-1.html on android. dholbert, should I just disable the reftest only on android, or would that be bad? Looks like we don't use http: to access reftests anywhere else, and I'd prefer not to introduce yet another reftest-only pref (we had to do this for view-source already...) if possible.
Flags: needinfo?(dholbert)
(In reply to :Gijs from comment #18)
> Also looks like this'll break
> image/test/reftest/downscaling/downscale-moz-icon-1.html on android.
> dholbert, should I just disable the reftest only on android, or would that
> be bad? 

That seems fine to me, though it'd be nice to leave behind a comment in the reftest.list file with a brief explanation for the disabling.(the moz-icon protocol being disabled over http & other emote , and reftests all being served as http on android)

Note that this reftest is listed *twice* in reftest.list (to get tested under two different configurations), so you'll need to adjust both lines. Conveniently, both lines already have a skip-if(...) annotation, so you can probably just add "Android||" to the beginning of that annotation's condition.

> Looks like we don't use http: to access reftests anywhere else

(Yeah, I'm pretty sure that's correct -- specifically, Android is the only platform where they're *always* served over HTTP. On desktop, individual reftests *can* opt in to being served over http, but that's not relevant here.)
Flags: needinfo?(dholbert)
> & other emote ,

"& other remote protocols"
The reftest.list tweaks look good. But: shouldn't we also add some new tests (or test-tweaks) to validate that moz-icon is indeed not exposed on the web anymore?  (to verify that this change actually takes effect & doesn't get reverted/relaxed by accident)

(Maybe such tests are already included and I overlooked them - if so, sorry about that)
Flags: needinfo?(gijskruitbosch+bugs)
Pushed by gijskruitbosch@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/ec15d17d85cb
stop allowing webpages to link to moz-icon: , r=mrbkap
(In reply to Daniel Holbert [:dholbert] from comment #23)
> The reftest.list tweaks look good. But: shouldn't we also add some new tests
> (or test-tweaks) to validate that moz-icon is indeed not exposed on the web
> anymore?  (to verify that this change actually takes effect & doesn't get
> reverted/relaxed by accident)
> 
> (Maybe such tests are already included and I overlooked them - if so, sorry
> about that)

Sorry, didn't see this comment before looking at the trypush and then pushing from reviewboard. :-\

We should. In fact, I kind of expected the trypushes to point to some existing tests, but apparently not. I'll file a followup bug.
Flags: needinfo?(gijskruitbosch+bugs)
Blocks: 1422177
https://hg.mozilla.org/mozilla-central/rev/ec15d17d85cb
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
status-firefox59: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla59
Whiteboard: [gfx-noted][fingerprinting][fp:m4] → [gfx-noted][fingerprinting][fp:m4][adv-main59-]
Regressions: 1600490
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: