Closed Bug 1399803 Opened 2 years ago Closed 2 months ago

isSecureContext is false for 127.0.0.2, should be true

Categories

(Core :: DOM: Security, defect, P3)

defect

Tracking

()

RESOLVED FIXED
mozilla70
Tracking Status
firefox70 --- fixed

People

(Reporter: freddyb, Assigned: ehsan)

References

Details

(Whiteboard: [domsecurity-backlog2])

Attachments

(1 file)

STR:
0) listen on localhost on e.g., linux
1) Go to http://127.0.0.2/ (which is also localhost)
2) verify that isSecureContext in false in JS via Developer tools

Spec said 127.0.0.1/8 should all be secure, see step 4 of
https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy


Our code only does a string match at <https://hg.mozilla.org/mozilla-central/annotate/f9a5e9ed62103c84e4cde915f4d08f1ce71be83e/dom/security/nsContentSecurityManager.cpp#l804>, when in fact it should either do a CIDR match and check for the whole /8 address space (i.e., every IP that starts with '127.').

Chrome does this by first checking whether it's a valid IPv4 address (and not something like 127.evil.com) and then makes sure it's first octet is 127.
See https://cs.chromium.org/chromium/src/third_party/WebKit/Source/platform/weborigin/SecurityOrigin.cpp?l=400&rcl=ee63a5ba7429ec1acffb4031c75937afff628068

(This is not a security bug, as this is all about localhost only)
Component: Security → DOM: Security
Priority: -- → P3
Whiteboard: [domsecurity-backlog2]
Duplicate of this bug: 1576879
Pushed by eakhgari@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/0c68a3df6ebd
Consider all IPv4 loopback addresses as secure context; r=bzbarsky,dragana
Status: NEW → RESOLVED
Closed: 2 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla70
You need to log in before you can comment on or make changes to this bug.