Closed Bug 1367814 Opened 5 years ago Closed 5 years ago

Check that a redirect may load by result principal URI (NS_GetFinalChannelURI)

Categories

(Core :: Security: CAPS, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla56
Tracking Status
firefox56 --- fixed

People

(Reporter: mayhemer, Assigned: mayhemer)

References

Details

Attachments

(1 file, 1 obsolete file)

Blocks: 1368110
Assignee: nobody → honzab.moz
Status: NEW → ASSIGNED
Comment on attachment 8871340 [details] [diff] [review]
v1 (nsContentSecurityManager::AsyncOnChannelRedirect check against final channel URI of the new channel)

Try run here:

https://treeherder.mozilla.org/#/jobs?repo=try&revision=325ac293772a6e865468e9a9d5758928ab0b9c7b

(:bz doesn't accept reviews, this has to wait)
Attachment #8871340 - Attachment description: wip → v1 (nsContentSecurityManager::AsyncOnChannelRedirect check against final channel URI of the new channel)
Summary: Check redirect may load by result principal URI (NS_GetFinalChannelURI) → Check that a redirect may load by result principal URI (NS_GetFinalChannelURI)
Comment on attachment 8871340 [details] [diff] [review]
v1 (nsContentSecurityManager::AsyncOnChannelRedirect check against final channel URI of the new channel)

r=me, but the commit message should have something after the first line about how this allows protocols that load their data from some "privileged" URI but really want everything (including the principal and the redirect behavior) to look like an "unprivileged" one to function correctly.
Attachment #8871340 - Flags: review+
mayhemer: Is this ready to land?
Flags: needinfo?(honzab.moz)
(In reply to Shane Caraveo (:mixedpuppy) from comment #3)
> mayhemer: Is this ready to land?

yep, I wanted to separate landing of this one and few other bugs to narrow down regressions better.  I'll land this tomorrow.
Flags: needinfo?(honzab.moz)
Pushed by cbook@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/5c8f80d77909
Let nsContentSecurityManager check if a redirect may load against the target channel's final URI, r=bz
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/5c8f80d77909
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla56
You need to log in before you can comment on or make changes to this bug.