Closed
Bug 1505640
Opened 6 years ago
Closed 6 years ago
Investigate potential misuse of SystemPrincipal in the download manager
Categories
(Core :: DOM: Security, defect, P2)
Core
DOM: Security
Tracking
()
RESOLVED
DUPLICATE
of bug 1507773
People
(Reporter: francois, Assigned: jkt)
References
(Blocks 1 open bug)
Details
(Whiteboard: [domsecurity-active])
The download manager appears to be using a SystemPrincipal in the channel that actually downloads the remote file: https://searchfox.org/mozilla-central/rev/39cb1e96cf97713c444c5a0404d4f84627aee85d/toolkit/components/downloads/DownloadCore.jsm#1905
|
||
Comment 1•6 years ago
|
||
Jonathan, I think francois is right, that URI can potentially be influenced by web content. Can you take a look if we can use a better triggeringPrincipal?
Blocks: require-triggering-principal
Flags: needinfo?(jkt)
|
|
||
Updated•6 years ago
|
Assignee: nobody → ckerschb
Priority: -- → P2
Whiteboard: [domsecurity-active]
|
|
||
Comment 2•6 years ago
|
||
Actually wanted to assign this one to :jkt not me :-)
Assignee: ckerschb → jkt
|
Assignee | |
Comment 3•6 years ago
|
||
Marking as a duplicate of Bug 1507773 as that work is needed to fix this one line.
Status: NEW → RESOLVED
Closed: 6 years ago
Flags: needinfo?(jkt)
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•