Closed
Bug 1498885
Opened 6 years ago
Closed 6 years ago
Add assertion in ContentSecurityPolicyPermitsJSAction() to not allow eval with SystemPrincipal
Categories
(Core :: DOM: Security, enhancement, P3)
Core
DOM: Security
Tracking
()
RESOLVED
FIXED
mozilla64
| Tracking | Status | |
|---|---|---|
| firefox64 | --- | fixed |
People
(Reporter: vinoth, Assigned: vinoth)
References
(Blocks 1 open bug)
Details
(Whiteboard: [domsecurity-active])
Attachments
(1 file)
Eval(), new Function() should never execute with system principal.It is being removed everywhere from our codebase as part of Bug 1473549.
Here assertion will be added in ContentSecurityPolicyPermitsJSAction() in nsScriptSecurityManager.cpp and a pref will be added to disable the assertion for specific test files.
|
Assignee | |
Updated•6 years ago
|
Assignee: nobody → cegvinoth
|
||
Updated•6 years ago
|
Whiteboard: [domsecurity-active]
|
|
Assignee | |
Comment 1•6 years ago
|
||
|
|
Assignee | |
Comment 2•6 years ago
|
||
Comment on attachment 9017085 [details]
Bug 1498885 - Assertion added in ContentSecurityPolicyPermitsJSAction() to not allow eval with SystemPrincipal
I added the assertion and prefs to few test files. Assertion was turned off for now till we fix all the issues.
Please kindly review the patch and let me know if changes are needed.
Try server push for this patch,
https://treeherder.mozilla.org/#/jobs?repo=try&revision=a317eb0aebfc1143c0211a5ab1319b6267d62267
Attachment #9017085 -
Flags: review?(ckerschb)
|
|
||
Updated•6 years ago
|
Attachment #9017085 -
Flags: review?(ckerschb) → review+
|
|
Assignee | |
Updated•6 years ago
|
Keywords: checkin-needed
Pushed by ebalazs@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/237852763567
Assertion added in ContentSecurityPolicyPermitsJSAction() to not allow eval with SystemPrincipal r=ckerschb
Keywords: checkin-needed
|
||
Comment 4•6 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox64:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla64
|
||
Comment 5•6 years ago
|
||
(In reply to Bogdan Tara[:bogdan_tara] from comment #4)
> https://hg.mozilla.org/mozilla-central/rev/237852763567
\o/
Also, please send an email to dev-platform about this. Thanks
|
|
||
Comment 6•6 years ago
|
||
(In reply to Kris Maglione [:kmag] from comment #5)
> Also, please send an email to dev-platform about this. Thanks
FWIW, the assertion is not actively firing as of now. Once Bug 1473549 is fixed, we will send an email to dev-platform about those changes.
You need to log in
before you can comment on or make changes to this bug.
Description
•