Open
Bug 1490124
Opened 6 years ago
Updated 2 years ago
Predictor Engine can be primed by rogue Content Process
Categories
(Core :: Networking, enhancement, P3)
Core
Networking
Tracking
()
NEW
Fission Milestone | Future |
People
(Reporter: tjr, Unassigned)
References
(Depends on 1 open bug, Blocks 1 open bug)
Details
(Whiteboard: [necko-triaged])
In https://searchfox.org/mozilla-central/source/netwerk/ipc/PNecko.ipdl the child child provides URIs and originAttributes to the Parent Process in PredPredict and PredLearn which are then fed into the Predictor Engine without being validated. A rogue Content Process could like about these values and cause predictor entries to be stored for the wrong OA or cache key, which can cause user identities to be linked across Containers/FPI. I haven't fully explored the implications of this, it's possible other bad things could happen. We should double check the supplied values from the content process and validate that the values are allowed by the Content Process that supplied them.
Reporter | ||
Comment 1•6 years ago
|
||
SpeculativeConnect too
Reporter | ||
Updated•6 years ago
|
Depends on: fission-ipc-map
Updated•6 years ago
|
Priority: -- → P3
Whiteboard: [necko-triaged]
Reporter | ||
Comment 2•6 years ago
|
||
HTMLDNSPrefetch & CancelHTMLDNSPrefetch I believe also.
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•