Closed Bug 1366973 Opened 3 years ago Closed 3 months ago

Rename security flags within nsILoadInfo to not contain '_DATA_'

Categories

(Core :: DOM: Security, task, P3)

task

Tracking

()

RESOLVED FIXED
mozilla80
Tracking Status
firefox80 --- fixed

People

(Reporter: ckerschb, Assigned: freddy)

References

Details

(Whiteboard: [domsecurity-backlog1])

Attachments

(1 file)

There are still other protocols that inherit the security context (by setting URI_INHERITS_SECURITY_CONTEXT in the protocol handler). Since data: URIs will *not* inherit the security context anymore, we should rename those flags to something like:

SEC_REQUIRE_SAME_ORIGIN_DATA_INHERITS -> SEC_REQUIRE_SAME_ORIGIN_INHERIT_SEC_CONTEXT


Similar, for all the other security flags within nsILoadInfo.
Assignee: nobody → ckerschb
Status: NEW → ASSIGNED
Priority: -- → P3
Whiteboard: [domsecurity-active]
Whiteboard: [domsecurity-active] → [domsecurity-backlog1]
Blocks: 1324406
No longer blocks: 1324406
Depends on: 1324406
Olli, now that we are about to treat data: URIs to be cross origin I think we should rename the five security flags within the loadinfo (and subsequent everywhere in the codebase) to not contain _DATA_. What do you think about the following renaming:

SEC_REQUIRE_SAME_ORIGIN_DATA_INHERITS   -> SEC_REQUIRE_SAME_ORIGIN_INHERITS_SEC_CONTEXT
SEC_REQUIRE_SAME_ORIGIN_DATA_IS_BLOCKED -> [I think that should remain the same]
SEC_ALLOW_CROSS_ORIGIN_DATA_INHERITS    -> SEC_ALLOW_CROSS_ORIGIN_INHERITS_SEC_CONTEXT
SEC_ALLOW_CROSS_ORIGIN_DATA_IS_NULL     -> SEC_ALLOW_CROSS_ORIGIN_SEC_CONTEXT_IS_NULL
SEC_REQUIRE_CORS_DATA_INHERITS          -> SEC_REQUIRE_CORS_INHERITS_SEC_CONTEXT

Please note that we obviously would also update documentation of those flags within nsILoadInfo.idl.
Flags: needinfo?(bugs)
Looks reasonable, but perhaps we should do it only once we have some experience on whether the new data: handling causes tons of regressions.
Flags: needinfo?(bugs)
(In reply to Olli Pettay [:smaug] from comment #2)
> Looks reasonable, but perhaps we should do it only once we have some
> experience on whether the new data: handling causes tons of regressions.

I agree, let's hold off on that bug for a little while (and hopefully the new data: URI handling does not cause tons of regresssions).

Thanks Freddy!

Assignee: ckerschb → fbraun
Type: enhancement → task

A patch powered by this shell script will come soon:

rg SEC_REQUIRE_SAME_ORIGIN_DATA_INHERITS --files-with-matches | xargs sed -i 's/SEC_REQUIRE_SAME_ORIGIN_DATA_INHERITS/SEC_REQUIRE_SAME_ORIGIN_INHERITS_SEC_CONTEXT/g'
rg SEC_ALLOW_CROSS_ORIGIN_DATA_INHERITS --files-with-matches | xargs sed -i 's/SEC_ALLOW_CROSS_ORIGIN_DATA_INHERITS/SEC_ALLOW_CROSS_ORIGIN_INHERITS_SEC_CONTEXT/g'
rg SEC_ALLOW_CROSS_ORIGIN_DATA_IS_NULL --files-with-matches | xargs sed -i 's/SEC_ALLOW_CROSS_ORIGIN_DATA_IS_NULL/SEC_ALLOW_CROSS_ORIGIN_SEC_CONTEXT_IS_NULL/g'
rg SEC_REQUIRE_CORS_DATA_INHERITS --files-with-matches | xargs sed -i 's/SEC_REQUIRE_CORS_DATA_INHERITS/SEC_REQUIRE_CORS_INHERITS_SEC_CONTEXT/g'

(will update the documentation as well, naturally)

Pushed by fbraun@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/e34785ffe0ed
Rename security flags to not contain DATA anymore r=geckoview-reviewers,ckerschb,snorp
Status: ASSIGNED → RESOLVED
Closed: 3 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla80
Regressions: 1653118
You need to log in before you can comment on or make changes to this bug.