Closed Bug 1512511 (CVE-2019-11724) Opened Last year Closed 8 months ago

Remove input.mozilla.org from browser/app/permissions

Categories

(Firefox :: General, enhancement, P3)

enhancement

Tracking

()

RESOLVED FIXED
Firefox 68
Tracking Status
firefox68 --- fixed

People

(Reporter: freddyb, Assigned: freddyb)

References

Details

(Keywords: csectype-priv-escalation, sec-low, sec-want, Whiteboard: [adv-main68+])

Attachments

(1 file)

browser/app/permissions gives extra permission "remote-troubleshooting" to input.mozilla.org, which is now redirecting to qsurvey.

We probably do not want to give extra permission to input.m.o.
There are domains that we give extra permissions.
Those should be hosted and operated by Firefox.
input.mozilla.org isn't and it also doesnt use extra permissions anymore.
Let's remove it.
NB: As a follow-up, I likely want to look at other domains.
Priority: -- → P3

I swear I asked you this recently but I can't find where I did. What's the state of this bug? Can the patch here just land?

Flags: needinfo?(fbraun)

This bug is on my list, but with a relatively low priority.

According to https://phabricator.services.mozilla.com/D13948#347996, I better add code that makes the pref change for existing profiles, before I land.

Flags: needinfo?(fbraun)

(In reply to Frederik Braun [:freddyb] from comment #4)

This bug is on my list, but with a relatively low priority.

According to https://phabricator.services.mozilla.com/D13948#347996, I better add code that makes the pref change for existing profiles, before I land.

Hello, I'm an outreachy applicant, can I help solving this?

Pushed by mozilla@noorenberghe.ca:
https://hg.mozilla.org/integration/mozilla-inbound/rev/41c4503d65cb
Remove extra-privileges for input.mozilla.org. r=Gijs,MattN

(In reply to Carolina Jimenez Gomez from comment #5)

(In reply to Frederik Braun [:freddyb] from comment #4)

This bug is on my list, but with a relatively low priority.

According to https://phabricator.services.mozilla.com/D13948#347996, I better add code that makes the pref change for existing profiles, before I land.

Hello, I'm an outreachy applicant, can I help solving this?

I just landed this existing patch and will file a follow-up to remove the existing stored permissions. You can work on that one.

Status: ASSIGNED → RESOLVED
Closed: 8 months ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 68
Whiteboard: [adv-main68+]
Alias: CVE-2019-11724
Duplicate of this bug: 1321708
You need to log in before you can comment on or make changes to this bug.