security.fileuri.strict_origin_policy seems to break quotamanager

RESOLVED FIXED

Status

()

defect
P2
normal
RESOLVED FIXED
a year ago
6 months ago

People

(Reporter: overholt, Unassigned)

Tracking

(Blocks 1 bug)

Firefox Tracking Flags

(Not tracked)

Details

Reporter

Description

a year ago
Jeff (CCd) had security.fileuri.strict_origin_policy set to false (it seems there is some internet advice around this) and at startup got errors related to quotamanager not liking file+++UNIVERSAL_FILE_URI_ORIGIN.

Is this a quotamanager issue or a CAPS issue?
Reporter

Comment 1

a year ago
baku, seems you may have had something to do with this in bug 1347817.
Flags: needinfo?(amarchesini)
I think QM probably needs to handle this.
Reporter

Updated

a year ago
Blocks: 1426119
Reporter

Updated

a year ago
Component: Security: CAPS → DOM: Quota Manager
Moving the NI to janv.
Flags: needinfo?(amarchesini) → needinfo?(jvarga)
Priority: -- → P2
security.fileuri.strict_origin_policy set to false means your entire disk is the same origin, as it was originally. This was an escape valve added when we tightened the policy to "same and sub directories" in case we broke some people's workflows, but it's not a safe setting. If you open a local file with malicious scripts it can now read any sensitive data on your drive.

[In comparison Chrome and Safari one-upped us and make every file: uri a unique origin, which solves some additional security risks our version still has.]

Updated

10 months ago
Blocks: 1482662

Comment 6

9 months ago
This will be fixed in bug 1286798.
Flags: needinfo?(jvarga)
Depends on: 1286798

Comment 7

6 months ago
Fixed by bug 1286798.

Updated

6 months ago
Status: NEW → RESOLVED
Last Resolved: 6 months ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.