Closed Bug 1477070 Opened 5 years ago Closed 4 years ago
Identity in Gecko View Progress may need additional state check
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0) Gecko/20100101 Firefox/60.0 Build ID: 20180605171542 Steps to reproduce: This potential code issue was identified in a code review of https://bugzilla.mozilla.org/show_bug.cgi?id=1475647 The function currently checks against STATE_IS_BROKEN and returns insecure result. It may also need to check against STATE_IS_INSECURE. Otherwise a null exception may occur below trying to access attributes of secInfo.
I'm assigning a component, based on the bug mentioned in the description.
Component: Untriaged → Security: PSM
Product: Firefox → Core
Component: Security: PSM → GeckoView
Product: Core → Firefox for Android
4 years ago
Attachment #9020832 - Flags: review?(snorp) → review+
Pushed by email@example.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/db4262ced509 Add STATE_IS_INSECURE check to checkIdentity in GeckoViewProgress.jsm r=snorp
Is this something we should consider backporting to 64 or can it ride the trains?
Comment on attachment 9020832 [details] [diff] [review] Add STATE_IS_INSECURE check [Beta/Release Uplift Approval Request] Feature/Bug causing the regression: None User impact if declined: GeckoView apps will potentially mis-report a site's security status in some circumstances. Is this code covered by automated tests?: No Has the fix been verified in Nightly?: No Needs manual test from QE?: No If yes, steps to reproduce: List of other uplifts needed: None Risk to taking this patch: Low Why is the change risky/not risky? (and alternatives if risky): It's very low risk as it simply adds an additional check on the state of the web progress listener that should have been there in the first place. String changes made/needed: None.
Attachment #9020832 - Flags: approval-mozilla-beta?
Comment on attachment 9020832 [details] [diff] [review] Add STATE_IS_INSECURE check [Triage Comment] Avoids GeckoView apps potentially mis-reporting a site's security status. Approved for 64.0b7.
Attachment #9020832 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
You need to log in before you can comment on or make changes to this bug.