Closed Bug 1436128 Opened 5 years ago Closed 4 years ago

security.fileuri.strict_origin_policy seems to break quotamanager

Categories

(Core :: Storage: Quota Manager, defect, P2)

Product:
Core
Component:
Storage: Quota Manager
Type:
defect

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: overholt, Unassigned)

References

(Blocks 1 open bug)

Details

Jeff (CCd) had security.fileuri.strict_origin_policy set to false (it seems there is some internet advice around this) and at startup got errors related to quotamanager not liking file+++UNIVERSAL_FILE_URI_ORIGIN.

Is this a quotamanager issue or a CAPS issue?
baku, seems you may have had something to do with this in bug 1347817.
Flags: needinfo?(amarchesini)
I think QM probably needs to handle this.
Blocks: 1426119
Component: Security: CAPS → DOM: Quota Manager
Moving the NI to janv.
Flags: needinfo?(amarchesini) → needinfo?(jvarga)
Priority: -- → P2
security.fileuri.strict_origin_policy set to false means your entire disk is the same origin, as it was originally. This was an escape valve added when we tightened the policy to "same and sub directories" in case we broke some people's workflows, but it's not a safe setting. If you open a local file with malicious scripts it can now read any sensitive data on your drive.

[In comparison Chrome and Safari one-upped us and make every file: uri a unique origin, which solves some additional security risks our version still has.]
Blocks: 1482662
This will be fixed in bug 1286798.
Flags: needinfo?(jvarga)
Depends on: 1286798
Fixed by bug 1286798.
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.