Open Bug 1423602 Opened 7 years ago Updated 10 months ago

Resource timing violates SOP for font files loaded under "no-cors" CSS

Categories

(Core :: Layout, enhancement, P3)

enhancement

Tracking

()

People

(Reporter: jwatt, Unassigned)

References

Details

(Keywords: csectype-disclosure, sec-low)

Attachments

(1 obsolete file)

Spinning this off from bug 1180145. Style sheets that are loaded by no-cors parent style sheets are now hidden from resource timing reporting. Font files loaded under a no-cors style sheet are not hidden yet though.

There's an exception in dom/tests/mochitest/general/test_resource_timing_nocors.html to ignore the timing entry for the font file for now.

For now I'll leave the sec keywords in place as they were over in bug 1180145. Probably leaking font file URLs isn't as big a concern as leaking style sheet URLs though.
Priority: -- → P1
Jet: please find appropriate folks to work on these security bugs.
Assignee: nobody → bugs
(In reply to Jonathan Watt [:jwatt] (needinfo? me) from comment #0)
> For now I'll leave the sec keywords in place as they were over in bug
> 1180145. Probably leaking font file URLs isn't as big a concern as leaking
> style sheet URLs though.

I should have been clearer. I don't think this is sec-high, but it's unclear to me that I should be the one to make the decision to change that flag. I would like someone from the sec team to justify why (or at least state) that they think pages being able to see the URLs of the font files being loading is likely to be a concern in practice. A specific example would be helpful.

It's not that I'm adverse to fixing this, but simply that it seems to be low priority to me.
Flags: needinfo?(dveditz)
Priority: P1 → P3
I think I agree with Jonathan here.

SOP violations are bad generally, but a resource timing attack for non-cors *fonts* are so much an edge case, that it's hard to  come up with a scenario where it's really bad.
Given the wideness of the world wide web, there's probably a web page that is affected and for which this is bad.
But at this point, I'd be surprised if we found it :)
Flags: needinfo?(dveditz)
Keywords: sec-highsec-low
Note, it's not non-cors fonts. It's font URLs loaded from a non-cors cross-origin stylesheet. If fonts end up with user-specific URLs (e.g., for copyright reasons) this would be used to determine the user.
Assignee: bugs → svoisen
Flakiness was eliminated with a longer timeout, as the passes were just cases were the entry wasn't yet added.
Severity: normal → S3

The bug assignee is inactive on Bugzilla, so the assignee is being reset.

Assignee: sean → nobody
Attachment #9356525 - Attachment is obsolete: true
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: