Open Bug 1255798 Opened 4 years ago Updated 3 years ago

Block all non-https loads for remote newtab

Categories

(Core :: DOM: Security, defect)

defect
Not set

Tracking

()

People

(Reporter: franziskus, Unassigned)

References

Details

(Whiteboard: [domsecurity-backlog])

We should make sure that the remote about:newtab does not load over non-https channels, i.e. no http, no ftp etc.

Background: we have to obviously use https, but we enforce content signatures only on http(s) channels, hence any other type of load is not secured.
Great use case for the newly implemented block all mixed content csp directive that Christoph landed!
https://bugzilla.mozilla.org/show_bug.cgi?id=1122236
(In reply to Tanvi Vyas - please needinfo [:tanvi] from comment #1)
> Great use case for the newly implemented block all mixed content csp
> directive that Christoph landed!
> https://bugzilla.mozilla.org/show_bug.cgi?id=1122236

The CSP for about:newtab should definitely use 'block-all-mixed-content'. But I think we need a little more for about:newtab, because the main page should only load if it's https, right? CSP and mixedContentBlocker bail early for TYPE_DOCUMENT. So we still need to make sure that happens.
Whiteboard: [domsecurity-backlog]
You need to log in before you can comment on or make changes to this bug.