Remove accounts.firefox.com from the whitelist of domains allowed to send objects over webchannels.

RESOLVED FIXED in Firefox 59

Status

()

enhancement
P3
normal
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: markh, Assigned: leakey94, Mentored)

Tracking

(Blocks 1 bug)

unspecified
Firefox 59
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox59 fixed)

Details

Attachments

(1 attachment)

Reporter

Description

2 years ago
In bug 1275616, Firefox accounts no longer sends objects over web channels. This means we can remove this server from the whitelist maintained in Firefox for servers allowed to send objects.

I believe the work here is:

* change the |webchannel.allowObject.urlWhitelist| preference's default value to no longer include accounts.firefox.com

* change services/fxaccounts/FxAccountsConfig.jsm to no longer attempt to maintain that preference value.

* test that all browser interaction with that domain continues to work correctly.

This might well be a "good second bug", so adding myself as mentor (but not marking as good-first-bug, as that's probably a stretch).
Reporter

Updated

2 years ago
Blocks: 1275612
Priority: -- → P3

Updated

2 years ago
Product: Core → Firefox
Assignee

Comment 1

2 years ago
Hi Mark! I'd like to take this bug on. Looking at FxAccountsConfig.jsm I'm unsure what changes are required, any tips?
Flags: needinfo?(markh)
Assignee

Comment 3

2 years ago
Thanks Mark! I've made the changes to the code, can you tell me more about the required tests (I'm unfamiliar with the try server)?
Flags: needinfo?(markh)
Reporter

Comment 4

2 years ago
Thanks for contributing!

If you put a patch up following the instructions at https://developer.mozilla.org/en-US/docs/Mozilla/Developer_guide/How_to_Submit_a_Patch, I'm happy to help running it though the try server. If you are able to push it via mozreview, then it will be trivial and you can probably do it yourself, but even if you just attach a patch directly to bugzilla I'll help with the next steps.

Thanks!
Assignee: nobody → leakey94
Flags: needinfo?(markh)
Reporter

Comment 6

2 years ago
mozreview-review
Comment on attachment 8931777 [details]
Bug 1346072 - Remove accounts.firefox.com from the whitelist of domains allowed to send objects over webchannels.

https://reviewboard.mozilla.org/r/202906/#review208374

Looks great, thanks! Can you please fixup the trivial whitespace issue and push a new version, then I'll r+ and land it (assuming the try push looks good)

::: services/fxaccounts/FxAccountsConfig.jsm:70
(Diff revision 1)
>      // will have initialized, which will leave them pointing at production.
>      for (let pref of CONFIG_PREFS) {
>        Services.prefs.clearUserPref(pref);
>      }
>      // Reset the webchannel.
> -    EnsureFxAccountsWebChannel();
> +    EnsureFxAccountsWebChannel();  

it looks like you accidentally introduced whitespace at the end of this line.
Comment hidden (mozreview-request)
Reporter

Comment 8

2 years ago
mozreview-review
Comment on attachment 8931777 [details]
Bug 1346072 - Remove accounts.firefox.com from the whitelist of domains allowed to send objects over webchannels.

https://reviewboard.mozilla.org/r/202906/#review208468

Awesome, thanks!
Attachment #8931777 - Flags: review?(markh) → review+

Comment 9

2 years ago
Pushed by mhammond@skippinet.com.au:
https://hg.mozilla.org/integration/autoland/rev/db88252d490f
Remove accounts.firefox.com from the whitelist of domains allowed to send objects over webchannels. r=markh

Comment 10

2 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/db88252d490f
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 59
You need to log in before you can comment on or make changes to this bug.