Open Bug 1369029 Opened 3 years ago Updated 2 months ago

Consider blocking requests to HTTP(S) URLs that contain both `\n` and `<` characters.

Categories

(Core :: Networking, enhancement, P3)

enhancement

Tracking

()

People

(Reporter: mkwst, Assigned: valentin)

Details

(Whiteboard: [necko-active])

In the hopes of mitigating one form of dangling-markup-based exfiltration, Blink plans to block requests whose URLs contained both removable whitespace (`\n`, `\r`, `\t`) _and_ raw less-than (`<`) characters. https://github.com/whatwg/fetch/issues/546 lays out the strategy and justification in more detail, proposed patches to URL and Fetch are up for review at https://github.com/whatwg/url/pull/284 and https://github.com/whatwg/fetch/pull/519 respectively, and Blink's "Intent to Remove" might be helpful: https://groups.google.com/a/chromium.org/d/msg/blink-dev/KaA_YNOlTPk/VmmoV88xBgAJ.

WDYT?
This seems like a very good idea, with clear security benefits.
I'll get started on a patch in a couple of weeks.
Assignee: nobody → valentin.gosu
Whiteboard: [necko-active]
Bulk priority update: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: -- → P1
Priority: P1 → P2
Moving to p3 because no activity for at least 1 year(s).
See https://github.com/mozilla/bug-handling/blob/master/policy/triage-bugzilla.md#how-do-you-triage for more information
Priority: P2 → P3
You need to log in before you can comment on or make changes to this bug.