Closed Bug 1330035 Opened 3 years ago Closed 3 years ago

Explicitly use javascript: instead of URI_INHERITS_SECURITY_CONTEXT within subjectToCSP()

Tracking

()

Status:

RESOLVED FIXED

Milestone:

mozilla53

Tracking Flags:

Tracking

Status

firefox53

---

fixed

People

(Reporter: ckerschb, Assigned: ckerschb)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-active])

Attachments

(1 file)

bug_1330035_explicitly_use_javascript.patch 3 years ago Christoph Kerschbaumer [:ckerschb] 2.14 KB, patch	dveditz : review+	Details \| Diff \| Splinter Review

Christoph Kerschbaumer [:ckerschb]

Assignee

Description

•

3 years ago

As discussed with Dan, we should not use URI_INHERITS_SECURITY_CONTEXT but rather use javascript: explictly, see:

https://bugzilla.mozilla.org/show_bug.cgi?id=1329198#c1

Christoph Kerschbaumer [:ckerschb]

Assignee

Updated

•

3 years ago

Blocks: csp-w3c-3

Priority: -- → P3

Whiteboard: [domsecurity-backlog1]

Christoph Kerschbaumer [:ckerschb]

Assignee

Updated

•

3 years ago

Assignee: nobody → ckerschb

Status: NEW → ASSIGNED

Priority: P3 → P1

Whiteboard: [domsecurity-backlog1] → [domsecurity-active]

Christoph Kerschbaumer [:ckerschb]

Assignee

Comment 1

•

3 years ago

Attached patch bug_1330035_explicitly_use_javascript.patch — Details — Splinter Review

Attachment #8825726 - Flags: review?(dveditz)

Daniel Veditz [:dveditz]

Comment 2

•

3 years ago

Comment on attachment 8825726 [details] [diff] [review]
bug_1330035_explicitly_use_javascript.patch

Review of attachment 8825726 [details] [diff] [review]:
-----------------------------------------------------------------

r=dveditz

::: dom/security/nsCSPService.cpp
@@ +73,5 @@
>    if (NS_SUCCEEDED(rv) && match) {
>      return true;
>    }
> +  // finally we have to whitelist "about:" and "javascript:" which do
> +  // not fall into the category underneath but are not subject to CSP.

maybe "not subject to CSP content loading rules"? "javascript:" _is_ subject to CSP of course, but the script rules instead.

Attachment #8825726 - Flags: review?(dveditz) → review+

Pulsebot

Comment 3

•

3 years ago

Pushed by mozilla@christophkerschbaumer.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/4a1f0be6fa1d
Explicitly use javascript: instead of URI_INHERITS_SECURITY_CONTEXT within subjectToCSP(). r=dveditz

Wes Kocher (:KWierso) (Not reading bugmail; email directly if needed)

Comment 4

•

3 years ago

bugherder

https://hg.mozilla.org/mozilla-central/rev/4a1f0be6fa1d

Status: ASSIGNED → RESOLVED

Closed: 3 years ago

status-firefox53: --- → fixed

Resolution: --- → FIXED

Target Milestone: --- → mozilla53

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Explicitly use javascript: instead of URI_INHERITS_SECURITY_CONTEXT within subjectToCSP()

Categories

(Core :: DOM: Security, defect, P1)

Tracking

()

People

(Reporter: ckerschb, Assigned: ckerschb)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-active])

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Updated

Updated

Comment 1

Comment 2

Comment 3

Comment 4