Closed Bug 1305331 Opened 8 years ago Closed 5 years ago

Audit chrome process for places which run remote web content

Categories

(Core :: Security, defect, P3)

Product:
Core
Component:
Security
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox52 --- affected

People

(Reporter: pauljt, Unassigned)

References

(Blocks 1 open bug)

Details

The sandbox security relies on a model where all untrusted web content runs in child processes. We need to identify places where remote web content is parsed/executed/rendered in the parent instead of the child.
I think its theoretically possible for the ServiceWorkerManager to run a service worker script in the parent under some circumstances. For example, about:serviceworkers update button probably does this. At one point the about:debugging start button also ran the service worker in the parent process. Our e10s refactor for service workers should remove the ability to do this in the future.
Priority: -- → P3
Depends on: 1513445
Depends on: 1543579
Blocks: 1564485
No longer depends on: 1543579
See Also: → 1543579

I think we can call this fixed with Bug 1560178

We investigated SW in Bug 1582512 and the instance we were seeing resolved itself (although we never bisected...)

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.