Open
Bug 1490049
Opened 6 years ago
Updated 2 years ago
The URL field of a StorageEvent can be forged by a rogue content process
Categories
(Core :: Storage: localStorage & sessionStorage, enhancement, P5)
Core
Storage: localStorage & sessionStorage
Tracking
()
NEW
| Fission Milestone | Future |
People
(Reporter: tjr, Unassigned)
References
(Depends on 1 open bug, Blocks 1 open bug)
Details
A storage event has a URL argument specifying 'The URL of the document whose key changed.': https://developer.mozilla.org/en-US/docs/Web/API/StorageEvent
When a StorageEvent occurs, we follow the flow in https://searchfox.org/mozilla-central/source/dom/storage/PBackgroundLocalStorageCache.ipdl of calling Notify on the Parent, and the Parent calls Observe on all the appropriate children.
The Parent correctly propagates all relevant security information via PrincipalInfo and privateBrowsingId. The URL (documentURI) is strictly used for the StorageEvent object and not used in any code.
However, it may be forged to be any value (including a different domain) by a rogue content process. If future code used the URL for security checks, it could be tricked.
I'd recommend verifying that the URL is a permissible value according to the PrincipalInfo that is retrieved in the RecvNotify function. This is low priority.
|
||
Updated•6 years ago
|
Priority: -- → P5
|
Reporter | |
Updated•6 years ago
|
Depends on: fission-ipc-map
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•