Open Bug 1510585 Opened 6 years ago Updated 2 years ago

Audit the places where null principal is used as triggeringPrincipal

Categories

(Core :: DOM: Security, enhancement, P3)

Product:
Core
Component:
DOM: Security
Type:
enhancement

Tracking

()

People

(Reporter: kershaw, Unassigned)

References

Details

(Whiteboard: [domsecurity-backlog1]) 

The problem of null principal is that when a document is loaded with a null triggeringPrincipal, NS_IsSameSiteForeign could return a wrong result.

The details of the code is at [1]. A channel would be dertermined as foreign if a null principal uri (moz-nullprincipal:{xxxx}) is used in IsThirdPartyChannel.

In bug 1490257, there are some places where null principal is used. I think we need to see if this could cause other problems.


[1] https://searchfox.org/mozilla-central/rev/0859e6b10fb901875c80de8f8fc33cbb77b2505e/netwerk/base/nsNetUtil.cpp#2176-2198
Blocks: 1490257
Priority: -- → P3
See Also: → 1478280
Whiteboard: [domsecurity-backlog1]
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.