Add assertion in ContentSecurityPolicyPermitsJSAction() to not allow eval with SystemPrincipal

RESOLVED FIXED in Firefox 64

Status

()

enhancement
P3
normal
RESOLVED FIXED
8 months ago
8 months ago

People

(Reporter: vinoth, Assigned: vinoth)

Tracking

(Blocks 1 bug)

unspecified
mozilla64
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox64 fixed)

Details

(Whiteboard: [domsecurity-active])

Attachments

(1 attachment)

Eval(), new Function() should never execute with system principal.It is being removed everywhere from our codebase as part of Bug 1473549.

Here assertion will be added in ContentSecurityPolicyPermitsJSAction() in nsScriptSecurityManager.cpp and a pref will be added to disable the assertion for specific test files.
Assignee

Updated

8 months ago
Assignee: nobody → cegvinoth
Whiteboard: [domsecurity-active]
Comment on attachment 9017085 [details]
Bug 1498885 - Assertion added in ContentSecurityPolicyPermitsJSAction() to not allow eval with SystemPrincipal

I added the assertion and prefs to few test files. Assertion was turned off for now till we fix all the issues.
Please kindly review the patch and let me know if changes are needed.
Try server push for this patch,
https://treeherder.mozilla.org/#/jobs?repo=try&revision=a317eb0aebfc1143c0211a5ab1319b6267d62267
Attachment #9017085 - Flags: review?(ckerschb)
Attachment #9017085 - Flags: review?(ckerschb) → review+
Assignee

Updated

8 months ago
Keywords: checkin-needed

Comment 3

8 months ago
Pushed by ebalazs@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/237852763567
Assertion added in ContentSecurityPolicyPermitsJSAction() to not allow eval with SystemPrincipal r=ckerschb
Keywords: checkin-needed
Depends on: 1399997

Comment 4

8 months ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/237852763567
Status: NEW → RESOLVED
Closed: 8 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla64
(In reply to Bogdan Tara[:bogdan_tara] from comment #4)
> https://hg.mozilla.org/mozilla-central/rev/237852763567

\o/

Also, please send an email to dev-platform about this. Thanks
(In reply to Kris Maglione [:kmag] from comment #5)
> Also, please send an email to dev-platform about this. Thanks

FWIW, the assertion is not actively firing as of now. Once Bug 1473549 is fixed, we will send an email to dev-platform about those changes.
You need to log in before you can comment on or make changes to this bug.