Closed
Bug 1257744
Opened 8 years ago
Closed 2 years ago
Mixed Content Blocker may allow insecure about: pages
Categories
(Core :: DOM: Security, defect)
Core
DOM: Security
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: tanvi, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: sec-low, Whiteboard: [domsecurity-backlog])
See https://bugzilla.mozilla.org/show_bug.cgi?id=983326 (In reply to Tanvi Vyas - please needinfo [:tanvi] from comment #10) > (In reply to neil@parkwaycc.co.uk from comment #9) > > (In reply to Gavin Sharp from comment #5) > > > about: URIs can point to arbitrary resources, not all of them local (e.g. > > > about:credits is an alias for http://www.mozilla.org/credits/). > > > > (In reply to Tanvi Vyas from comment #6) > > > There are two categories of about: urls - nsAboutProtocolHandler and > > > nsSafeAboutProtocolHandler. about: urls fall are considered "safe" > > > (moz-safe-about) and are included in URI_SAFE_TO_LOAD_IN_SECURE_CONTEXT. > > So this means that about:credits is considered safe to load in a frame on an > > https page, even though it's really an http link? (In before Gavin asks me > > to file a bug on changing about:credits to point to > > https://www.mozilla.org/credits/ .) > > Oh, that's not good. Does about:credits have the > URI_SAFE_TO_LOAD_IN_SECURE_CONTEXT flag? > > Looks like we may need to go through > http://kb.mozillazine.org/About_protocol_links (assuming its complete) and > figure out if we are correctly classifying the mixed content state of about: > loads.
|
||
Comment 1•8 years ago
|
||
Since it's a sec-low bug we should also mark it as security sensitive.
Group: core-security
|
|
||
Comment 2•8 years ago
|
||
Tanvi, do you wanna take this? Or can you think of someone who can fix this?
Flags: needinfo?(tanvi)
|
||
Updated•8 years ago
|
Group: core-security → dom-core-security
|
|
||
Updated•8 years ago
|
Whiteboard: [domsecurity-backlog]
|
|
||
Comment 4•2 years ago
|
||
This predates our AsyncOpen2 work. With the new 'secure by default' mechanism about-pages will always be checked using the 'redirected' URI. So in case about:credits translates to https://www.mozilla.org/credits/, then https://www.mozilla.org/credits/ will be checked by the mixed content blocker. In other words, this bug rendered as a WORKSFORME in the meantime.
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → WORKSFORME
|
|
||
Updated•2 years ago
|
Group: dom-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•