Closed
Bug 1248089
Opened 8 years ago
Closed 8 years ago
Audit Gecko's Content Policies to make sure they do not rely on requestingContext for TYPE_DOCUMENT
Categories
(Core :: DOM: Security, defect)
Core
DOM: Security
Tracking
()
RESOLVED
WONTFIX
| Tracking | Status | |
|---|---|---|
| e10s | m8+ | --- |
People
(Reporter: tanvi, Assigned: billm)
Details
Content Policies are passed a context: http://mxr.mozilla.org/mozilla-central/source/dom/base/nsContentPolicyUtils.h#251 This context is missing for TYPE_DOCUMENT loads in e10s. This shouldn't effect Gecko Internal Content Policies, but may effect addons. To be sure, we should audit the internal content policies for their use of context. I've listed them below along with some notes I've taken on them in the past. 1) nsMixedContentBlocker - returns early for TYPE_DOCUMENT loads http://mxr.mozilla.org/mozilla-central/source/dom/security/nsMixedContentBlocker.cpp#455 2) CSP Service - also returns early for TYPE_DOCUMENT http://mxr.mozilla.org/mozilla-central/source/dom/security/nsCSPService.cpp#128 3) nsNoDataProtocolContentPolicy - I don't see a reference to context and it returns NS_OK for TYPE_DOCUMENT - https://mxr.mozilla.org/mozilla-central/source/dom/base/nsNoDataProtocolContentPolicy.cpp Notes: Checks if the scheme of contentLocation against the content type. If content location shows a URI_DOES_NOT_RETURN_DATA scheme, then only certain content types should be allowed there. ? If the uri has been flagged as URI_DOES_NOT_RETURN_DATA, it should not be loaded in a non-document/frame/object/websocket context. (However, if the uri has a scheme that would return data, we allow it before checking the protocol flag as an optimization.) https://bugzilla.mozilla.org/show_bug.cgi?id=181860 - if we didn't reject these, we could DoS the browser. with something like a bunch of <img src=mailto:..>'s 4) nsDataDocumentContentPolicy - need to check in detail. Does reference the context - https://mxr.mozilla.org/mozilla-central/source/dom/base/nsDataDocumentContentPolicy.cpp Notes: for content that is just "data" and should not be rendered as html. (Is this always xml?). The LoadedAsData flag is set and we reject all sub resource loads, except dtds and fonts for print previews. This policy also does some checking on svg image loads and external resource documents. For external resource documents (https://bugzilla.mozilla.org/show_bug.cgi?id=433616#c0) certain types are blacklisted. (recursive image loads?) 5) nsWebBrowserContentPolicy - this one uses the context to get the docshell - https://mxr.mozilla.org/mozilla-central/source/embedding/browser/nsWebBrowserContentPolicy.cpp#42 - but it returns early if it doesn't get a docshell, and TYPE_DOCUMENT isn't a case in the switch statement. Notes: Checks the docshell to see if certain things have been explicitly disabled for it - scripts, frames, images. 6) nsContentBlocker - is this even used? nothing in mozilla-central even includes nsContentBlocker.h If you find any other information during this audit, please make updates to https://public.etherpad-mozilla.org/p/ContentPolicies
|
Assignee | |
Comment 1•8 years ago
|
||
I talked to Tanvi about bug 1113196. She said that this bug is the only part of bug 1113196 that needs to block the rollout of e10s to users without add-ons. So this will block and the other one won't.
Assignee: nobody → wmccloskey
tracking-e10s:
--- → m8+
|
|
Assignee | |
Comment 2•8 years ago
|
||
I guess we can close this if bug 1113196 lands.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•