Open
Bug 1369029
Opened 7 years ago
Updated 7 months ago
Consider blocking requests to HTTP(S) URLs that contain both `\n` and `<` characters.
Categories
(Core :: Networking, enhancement, P3)
Core
Networking
Tracking
()
NEW
People
(Reporter: mkwst, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: [necko-active])
In the hopes of mitigating one form of dangling-markup-based exfiltration, Blink plans to block requests whose URLs contained both removable whitespace (`\n`, `\r`, `\t`) _and_ raw less-than (`<`) characters. https://github.com/whatwg/fetch/issues/546 lays out the strategy and justification in more detail, proposed patches to URL and Fetch are up for review at https://github.com/whatwg/url/pull/284 and https://github.com/whatwg/fetch/pull/519 respectively, and Blink's "Intent to Remove" might be helpful: https://groups.google.com/a/chromium.org/d/msg/blink-dev/KaA_YNOlTPk/VmmoV88xBgAJ. WDYT?
Comment 1•7 years ago
|
||
This seems like a very good idea, with clear security benefits. I'll get started on a patch in a couple of weeks.
Assignee: nobody → valentin.gosu
Whiteboard: [necko-active]
Comment 2•7 years ago
|
||
Bulk priority update: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: -- → P1
Updated•7 years ago
|
Priority: P1 → P2
Comment 3•6 years ago
|
||
Moving to p3 because no activity for at least 1 year(s). See https://github.com/mozilla/bug-handling/blob/master/policy/triage-bugzilla.md#how-do-you-triage for more information
Priority: P2 → P3
Updated•3 years ago
|
See Also: → https://bugs.webkit.org/show_bug.cgi?id=172748
Comment 4•2 years ago
|
||
Not on my priority list right now.
Assignee: valentin.gosu → nobody
Blocks: url
Comment 5•2 years ago
|
||
This "might" be doable, summarizing what Valentin suggested in chat:
It should be possible to do that when parsing a URL. So in NS_NewURI / nsStandardURL::SetSpecWithEncoding. We could save the flag on the URL, object when parsing, then check it in nsHttpChannel::AsyncOpen and fail the channel if it's set
Updated•2 years ago
|
Severity: normal → S3
Updated•7 months ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•