Open Bug 1344819 Opened 3 years ago Updated 2 years ago

Investigate if triggeringPrincipal should be queried from mOSHE within docShell

Categories

(Core :: DOM: Security, enhancement, P3)

enhancement

Tracking

()

People

(Reporter: ckerschb, Assigned: tnguyen)

References

Details

(Whiteboard: [domsecurity-backlog1])

As discussed with smaug (see also [0]) we should potentially *not* query the triggeringPrincipal from mOSHE when creating a new session entry [1].

This needs more investigation.

[0] https://bugzilla.mozilla.org/show_bug.cgi?id=1341754#c14
[1] https://dxr.mozilla.org/mozilla-central/source/docshell/base/nsDocShell.cpp#10416
Depends on: 1341754
Priority: -- → P3
Whiteboard: [domsecurity-backlog1]
Thomas, to get some more background info, you could read Comments 14 (15,16,17,...) from Bug 1341754. The essential question is, should we query the triggeringPrincipal and PrincipalToInherit from mOSHE [1] in case there is an mOSHE or not. Potentially we could remove that if-else branch and always use the else branch, but we need to do some audit.

To fix the bug, ideally we run a bunch of tests (in particular loading about: pages) and investigate the principalToInherit and TriggeringPrincipal in the different scenarios. Once we have a list of that, we can move on with the code fix.

[1] https://dxr.mozilla.org/mozilla-central/source/docshell/base/nsDocShell.cpp#10623-10634
Flags: needinfo?(tnguyen)
Thanks for the info. Assign to myself so I can take a look later
Assignee: nobody → tnguyen
Flags: needinfo?(tnguyen)
Assignee: tnguyen → nobody
Assignee: nobody → tnguyen
You need to log in before you can comment on or make changes to this bug.