Closed Bug 1269353 Opened 4 years ago Closed 4 years ago

Use channel.asyncOpen2() within ContentLinkHandler

Categories

(Core :: DOM: Security, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
mozilla49
Tracking Status
firefox49 --- fixed

People

(Reporter: ckerschb, Assigned: ckerschb)

References

Details

(Whiteboard: [domsecurity-active])

Attachments

(1 file)

No description provided.
Assignee: nobody → ckerschb
Blocks: 1182535
Status: NEW → ASSIGNED
Whiteboard: [domsecurity-active]
Hey Brad, looking at the commit message of Bug 1184739 I am wondering if TYPE_IMAGE would potentially be more appropriate than TYPE_OTHER, what do you think?
Attachment #8747716 - Flags: review?(blassey.bugs)
Comment on attachment 8747716 [details] [diff] [review]
bug_1269353_asyncopen2_contentlinkhandler.patch

Review of attachment 8747716 [details] [diff] [review]:
-----------------------------------------------------------------

I honestly don't know. I opted for TYPE_OTHER since this isn't an image displayed in content. Redirecting to Jonas in hopes he has a better understanding.
Attachment #8747716 - Flags: review?(blassey.bugs) → review?(jonas)
I don't think the type matters very much when loading using the system principal. We won't be calling out into security policies anyway.

That said, if we know that this is an image, it doesn't hurt to use TYPE_IMAGE.
Oh, is this for favicons? If so we should definitely use TYPE_IMAGE. But then we should also not use the system principal here. Favicons should be subject to CSP and other security policies.

But fixing that is likely better in a separate bug.
https://hg.mozilla.org/mozilla-central/rev/dee760a05b78
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla49
You need to log in before you can comment on or make changes to this bug.