Open
Bug 1255798
Opened 10 years ago
Updated 3 years ago
Block all non-https loads for remote newtab
Categories
(Core :: DOM: Security, defect)
Core
DOM: Security
Tracking
()
NEW
People
(Reporter: franziskus, Unassigned)
References
Details
(Whiteboard: [domsecurity-backlog])
We should make sure that the remote about:newtab does not load over non-https channels, i.e. no http, no ftp etc.
Background: we have to obviously use https, but we enforce content signatures only on http(s) channels, hence any other type of load is not secured.
|
||
Comment 1•10 years ago
|
||
Great use case for the newly implemented block all mixed content csp directive that Christoph landed!
https://bugzilla.mozilla.org/show_bug.cgi?id=1122236
|
||
Comment 2•10 years ago
|
||
(In reply to Tanvi Vyas - please needinfo [:tanvi] from comment #1)
> Great use case for the newly implemented block all mixed content csp
> directive that Christoph landed!
> https://bugzilla.mozilla.org/show_bug.cgi?id=1122236
The CSP for about:newtab should definitely use 'block-all-mixed-content'. But I think we need a little more for about:newtab, because the main page should only load if it's https, right? CSP and mixedContentBlocker bail early for TYPE_DOCUMENT. So we still need to make sure that happens.
|
|
||
Updated•10 years ago
|
Whiteboard: [domsecurity-backlog]
|
||
Updated•3 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•