Open Bug 1500953 Opened 6 years ago Updated 2 years ago

ShowCanvasPermissionPrompt allows permission prompt to be applied to another origin

Tracking

()

Status:

NEW

Project Flags:

Fission Milestone

Future

People

(Reporter: tjr, Unassigned)

References

(Depends on 1 open bug, Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-backlog3])

Tom Ritter [:tjr] (OOTO until 4/30 at least)

Reporter

Description

•

6 years ago

In PBrowser, ShowCanvasPermissionPrompt accepts a URI that will be used to store a permission (if granted).  A Rogue Content Process could supply a fake URI and the user could be confused (since the prompt should show the fake URI, but be shown on a real tab).

We should validate that the URI that comes from the Content Process matches the origins the content process is hosting.

Daniel Veditz [:dveditz]

Updated

•

6 years ago

Whiteboard: [domsecurity-backlog3]

Chris Peterson [:cpeterson]

Comment 1

•

4 years ago

This bug is not a Fission MVP blocker.

Fission Milestone: --- → Future

BMO Automation

Updated

•

2 years ago

Severity: normal → S3

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

ShowCanvasPermissionPrompt allows permission prompt to be applied to another origin

Categories

(Core :: DOM: Security, enhancement, P5)

Tracking

()

People

(Reporter: tjr, Unassigned)

References

(Depends on 1 open bug, Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-backlog3])

Crash Data

Security

(public)

User Story

Description

Updated

Comment 1

Updated