Closed Bug 1275612 Opened 8 years ago Closed 2 months ago

[meta] Don't allow any origins to send objects over WebChannel

Categories

(Toolkit :: General, task, P3)

Product:
Toolkit
Component:
General
Type:
task

Tracking

()

Status:
RESOLVED FIXED
Milestone:
132 Branch
Tracking Flags:
Tracking Status
firefox132 --- fixed

People

(Reporter: tcsc, Assigned: mccr8)

References

(Blocks 2 open bugs)

Details

(Keywords: meta)

Attachments

(1 file)

Bug 1275612 - Don't allow any origins to send objects over WebChannel.
48 bytes, text/x-phabricator-request
Details | Review
In bug 1238128, several origins were whitelisted as allowed to send objects through webchannels (all other origins should be sending strings). This is not ideal, but is required for backwards compatibility. This bug tracks the work related to removing entries from the whitelist and eventually removing the special-cased code all together.
Depends on: 1238128
Depends on: 1275615
Depends on: 1275616
Depends on: 1275619
Priority: -- → P3
Component: FxAccounts → General
Product: Core → Toolkit
No longer depends on: 1275616
Keywords: meta
Type: defect → task

Hey Mark, all bugs tracked by this meta seems to be closed, can this also be closed?

Severity: normal → N/A
Flags: needinfo?(markh)

Opened 3 more bugs which are required to finally remove this preference and capability.

Flags: needinfo?(markh)

There are only two URLs in the list now, https://content.cdn.mozilla.net and https://install.mozilla.org. As I rambled about a bit in bug 1786654, I can find no evidence that these sites exist any more, nor that they are used for WebChannels in any kind of way. Although I could not find any evidence that they were ever used so maybe I'm overlooking something. They don't even have DNS entries, so I think we can remove this entire mechanism.

I've been spending far too long staring at this code so I can put a patch together early next week, most likely.

Assignee: nobody → continuation
Summary: [meta] Remove special case/whitelisted origins in webchannel code → [meta] Don't allow any origins to send objects over WebChannel
Duplicate of this bug: 1915874
Blocks: old-prefs
Depends on: 1916451
Attachment #9421716 - Attachment description: Bug 1275612 - Don't allow any origins to send objects over WebChannel. WIP → Bug 1275612 - Don't allow any origins to send objects over WebChannel.

My patch changes two tests using weird objects instead of a string for the contentData property of the WebChannelMessageToChrome, simplifying the typing of this message.

Blocks: 1885221
Pushed by amccreight@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/eb90f648ee67 Don't allow any origins to send objects over WebChannel. r=Gijs

https://hg.mozilla.org/mozilla-central/rev/eb90f648ee67

Status: NEW → RESOLVED
Closed: 2 months ago
status-firefox132: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 132 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: