Closed
Bug 1267509
Opened 8 years ago
Closed 8 years ago
Make nsContentSecurityManager::IsURIPotentiallyTrustworthy act on an nsIPrincipal
Categories
(Core :: DOM: Security, defect)
Core
DOM: Security
Tracking
()
RESOLVED
FIXED
mozilla49
Tracking | Status | |
---|---|---|
firefox49 | --- | fixed |
People
(Reporter: jwatt, Assigned: jwatt)
References
Details
(Whiteboard: [domsecurity-active])
Attachments
(1 file, 1 obsolete file)
11.58 KB,
patch
|
bzbarsky
:
review+
|
Details | Diff | Splinter Review |
nsContentSecurityManager::IsURIPotentiallyTrustworthy is supposed to be implementing: https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy nsContentSecurityManager::IsURIPotentiallyTrustworthy operates on a URI though, whereas the spec algorithm works on an origin. Working on a URI means that IsURIPotentiallyTrustworthy does not handle blob: URIs correctly as defined here: https://url.spec.whatwg.org/#concept-url-origin
Assignee | ||
Comment 1•8 years ago
|
||
> Working on a URI means that IsURIPotentiallyTrustworthy does not
> handle blob: URIs correctly
Or more correctly, the code that calls it typically is not.
Assignee | ||
Comment 2•8 years ago
|
||
Attachment #8745316 -
Flags: review?(bzbarsky)
Assignee | ||
Comment 3•8 years ago
|
||
Attachment #8745316 -
Attachment is obsolete: true
Attachment #8745316 -
Flags: review?(bzbarsky)
Attachment #8745329 -
Flags: review?(bzbarsky)
Updated•8 years ago
|
Whiteboard: [domsecurity-active]
Comment 4•8 years ago
|
||
Comment on attachment 8745329 [details] [diff] [review] patch The IDL comments need to stop mentioning "URI", right? I guess this works because getCodebasePrincipal will actually extract the principal inside the blob: URI... OK. And I guess we can't add an assertion in nsContentSecurityManager::IsOriginPotentiallyTrustworthy that the scheme is never "blob" because someone could mess with a non-blob URI to give it that scheme. :( r=me
Attachment #8745329 -
Flags: review?(bzbarsky) → review+
Comment 6•8 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/915ddad13087
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox49:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
Updated•8 years ago
|
Target Milestone: mozilla48 → mozilla49
You need to log in
before you can comment on or make changes to this bug.
Description
•