Closed Bug 1257744 Opened 9 years ago Closed 3 years ago

Mixed Content Blocker may allow insecure about: pages

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: tanvi, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: sec-low, Whiteboard: [domsecurity-backlog])

See https://bugzilla.mozilla.org/show_bug.cgi?id=983326 (In reply to Tanvi Vyas - please needinfo [:tanvi] from comment #10) > (In reply to neil@parkwaycc.co.uk from comment #9) > > (In reply to Gavin Sharp from comment #5) > > > about: URIs can point to arbitrary resources, not all of them local (e.g. > > > about:credits is an alias for http://www.mozilla.org/credits/). > > > > (In reply to Tanvi Vyas from comment #6) > > > There are two categories of about: urls - nsAboutProtocolHandler and > > > nsSafeAboutProtocolHandler. about: urls fall are considered "safe" > > > (moz-safe-about) and are included in URI_SAFE_TO_LOAD_IN_SECURE_CONTEXT. > > So this means that about:credits is considered safe to load in a frame on an > > https page, even though it's really an http link? (In before Gavin asks me > > to file a bug on changing about:credits to point to > > https://www.mozilla.org/credits/ .) > > Oh, that's not good. Does about:credits have the > URI_SAFE_TO_LOAD_IN_SECURE_CONTEXT flag? > > Looks like we may need to go through > http://kb.mozillazine.org/About_protocol_links (assuming its complete) and > figure out if we are correctly classifying the mixed content state of about: > loads.
Since it's a sec-low bug we should also mark it as security sensitive.
Group: core-security
Tanvi, do you wanna take this? Or can you think of someone who can fix this?
Flags: needinfo?(tanvi)
Blocks: 1258549
Group: core-security → dom-core-security
I'm not going to take this right now.
Flags: needinfo?(tanvi)
Whiteboard: [domsecurity-backlog]
See Also: → 1391447

This predates our AsyncOpen2 work. With the new 'secure by default' mechanism about-pages will always be checked using the 'redirected' URI. So in case about:credits translates to https://www.mozilla.org/credits/, then https://www.mozilla.org/credits/ will be checked by the mixed content blocker. In other words, this bug rendered as a WORKSFORME in the meantime.

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WORKSFORME
Group: dom-core-security
You need to log in before you can comment on or make changes to this bug.