xpcshell e10s tests aren't sandboxed

NEW
Unassigned

Status

()

Core
Security: Process Sandboxing
P3
normal
6 months ago
3 months ago

People

(Reporter: jld, Unassigned)

Tracking

(Blocks: 1 bug)

Trunk
Points:
---

Firefox Tracking Flags

(firefox55 affected)

Details

(Whiteboard: sb+)

(Reporter)

Description

6 months ago
When xpcshell tests create content processes, the security.sandbox.content.level pref reads as 0, because it's set in browser/app/profile/firefox.js, which xpcshell doesn't use.  Usually this means the content processes aren't sandboxed.

I think it would make more sense for xpcshell to do the same thing as the browser, here.  I'm not as sure about changing it across the board, because I don't know how much other embeddings do things that would affect the content process's interaction with the sandbox (e.g., if they load frame scripts that do unexpected things).

This may cause regressions.  For example, once I land bug 1358647, there's at least one xpcshell test that will break on Linux when it tries to load httpd.js in a content process and XHR it (in fact, if there's any platform where it *doesn't* break, then that's a deficiency in the sandbox and bugs should be filed).

Updated

6 months ago
Whiteboard: sblc5, sbwc3, sbmc3
Sandboxing is now explicitly disabled in bug 1370438.

Updated

3 months ago
Blocks: 1257239
Priority: -- → P3
Whiteboard: sblc5, sbwc3, sbmc3 → sb+
You need to log in before you can comment on or make changes to this bug.