Open
Bug 1423602
Opened 7 years ago
Updated 1 year ago
Resource timing violates SOP for font files loaded under "no-cors" CSS
Categories
(Core :: Layout, enhancement, P3)
Core
Layout
Tracking
()
NEW
People
(Reporter: jwatt, Unassigned)
References
Details
(Keywords: csectype-disclosure, sec-low)
Attachments
(1 obsolete file)
Spinning this off from bug 1180145. Style sheets that are loaded by no-cors parent style sheets are now hidden from resource timing reporting. Font files loaded under a no-cors style sheet are not hidden yet though.
There's an exception in dom/tests/mochitest/general/test_resource_timing_nocors.html to ignore the timing entry for the font file for now.
For now I'll leave the sec keywords in place as they were over in bug 1180145. Probably leaking font file URLs isn't as big a concern as leaking style sheet URLs though.
Updated•7 years ago
|
Priority: -- → P1
Comment 1•7 years ago
|
||
Jet: please find appropriate folks to work on these security bugs.
Assignee: nobody → bugs
Reporter | ||
Comment 2•7 years ago
|
||
(In reply to Jonathan Watt [:jwatt] (needinfo? me) from comment #0)
> For now I'll leave the sec keywords in place as they were over in bug
> 1180145. Probably leaking font file URLs isn't as big a concern as leaking
> style sheet URLs though.
I should have been clearer. I don't think this is sec-high, but it's unclear to me that I should be the one to make the decision to change that flag. I would like someone from the sec team to justify why (or at least state) that they think pages being able to see the URLs of the font files being loading is likely to be a concern in practice. A specific example would be helpful.
It's not that I'm adverse to fixing this, but simply that it seems to be low priority to me.
Flags: needinfo?(dveditz)
Updated•7 years ago
|
Priority: P1 → P3
Comment 3•7 years ago
|
||
I think I agree with Jonathan here.
SOP violations are bad generally, but a resource timing attack for non-cors *fonts* are so much an edge case, that it's hard to come up with a scenario where it's really bad.
Given the wideness of the world wide web, there's probably a web page that is affected and for which this is bad.
But at this point, I'd be surprised if we found it :)
Comment 4•7 years ago
|
||
Note, it's not non-cors fonts. It's font URLs loaded from a non-cors cross-origin stylesheet. If fonts end up with user-specific URLs (e.g., for copyright reasons) this would be used to determine the user.
Updated•6 years ago
|
Assignee: bugs → svoisen
Comment 5•6 years ago
|
||
I'm trying to land a related WPT[1] and it seems like it sometimes passes, but mostly fails[2].
[1] https://github.com/web-platform-tests/wpt/pull/9307
[2] https://tools.taskcluster.net/groups/KSZfI4TBRc6KDrmK5PmCEA/tasks/dFuzylSpS3W7pbsQFetv0Q/runs/0/logs/public%2Flogs%2Flive.log
Comment 6•6 years ago
|
||
Flakiness was eliminated with a longer timeout, as the passes were just cases were the entry wasn't yet added.
Updated•2 years ago
|
Severity: normal → S3
Comment 7•2 years ago
|
||
The bug assignee is inactive on Bugzilla, so the assignee is being reset.
Assignee: sean → nobody
Attachment #9356525 -
Attachment is obsolete: true
You need to log in
before you can comment on or make changes to this bug.
Description
•