Closed
Bug 1330035
Opened 4 years ago
Closed 4 years ago
Explicitly use javascript: instead of URI_INHERITS_SECURITY_CONTEXT within subjectToCSP()
Categories
(Core :: DOM: Security, defect, P1)
Core
DOM: Security
Tracking
()
RESOLVED
FIXED
mozilla53
Tracking | Status | |
---|---|---|
firefox53 | --- | fixed |
People
(Reporter: ckerschb, Assigned: ckerschb)
References
(Blocks 1 open bug)
Details
(Whiteboard: [domsecurity-active])
Attachments
(1 file)
2.14 KB,
patch
|
dveditz
:
review+
|
Details | Diff | Splinter Review |
As discussed with Dan, we should not use URI_INHERITS_SECURITY_CONTEXT but rather use javascript: explictly, see: https://bugzilla.mozilla.org/show_bug.cgi?id=1329198#c1
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Updated•4 years ago
|
Assignee: nobody → ckerschb
Status: NEW → ASSIGNED
Priority: P3 → P1
Whiteboard: [domsecurity-backlog1] → [domsecurity-active]
Assignee | ||
Comment 1•4 years ago
|
||
Attachment #8825726 -
Flags: review?(dveditz)
Comment 2•4 years ago
|
||
Comment on attachment 8825726 [details] [diff] [review] bug_1330035_explicitly_use_javascript.patch Review of attachment 8825726 [details] [diff] [review]: ----------------------------------------------------------------- r=dveditz ::: dom/security/nsCSPService.cpp @@ +73,5 @@ > if (NS_SUCCEEDED(rv) && match) { > return true; > } > + // finally we have to whitelist "about:" and "javascript:" which do > + // not fall into the category underneath but are not subject to CSP. maybe "not subject to CSP content loading rules"? "javascript:" _is_ subject to CSP of course, but the script rules instead.
Attachment #8825726 -
Flags: review?(dveditz) → review+
Pushed by mozilla@christophkerschbaumer.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/4a1f0be6fa1d Explicitly use javascript: instead of URI_INHERITS_SECURITY_CONTEXT within subjectToCSP(). r=dveditz
Comment 4•4 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/4a1f0be6fa1d
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox53:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
You need to log in
before you can comment on or make changes to this bug.
Description
•