Disallow http(s) resources to be loaded into system privileged documents

RESOLVED FIXED in Firefox 68

Status

()

enhancement
P2
normal
RESOLVED FIXED
6 months ago
Last month

People

(Reporter: freddyb, Assigned: freddyb)

Tracking

(Depends on 2 bugs, Blocks 1 bug, Regressed 1 bug)

unspecified
mozilla68
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox68 fixed)

Details

(Whiteboard: [domsecurity-active])

Attachments

(2 attachments, 3 obsolete attachments)

Assignee

Description

6 months ago
We should not allow top-level documents or subdocuments loaded with the SystemPrincipal to live on the web.
Assignee

Updated

6 months ago
Blocks: 1305331
Assignee

Comment 2

6 months ago
Bug 1513445 - Disallow web documents loaded with the SystemPrincipal
Assignee

Comment 4

6 months ago
Pushed to try with the "!xpc::IsInAutomation()" case commented out - otherwise the new codepath is never executed.
https://treeherder.mozilla.org/#/jobs?repo=try&revision=0937c0a71b0fa9c3c8d7a712dda1887c1f4cb74b
Assigning to you Freddy since you already are working on a patch...
Assignee: nobody → ckerschb
Status: NEW → ASSIGNED
Priority: -- → P2
Whiteboard: [domsecurity-active]
Summary: Disallow web documents loaded with the SystemPrincipal → Disallow http(s) resources to be loaded into system privileged documents
Sorry, I meant to assign this one to you Freddy, not to myself (see comment 5 :-) ).
Assignee: ckerschb → fbraun
Assignee

Comment 8

4 months ago
Posted file Bug 1513445: add tests (obsolete) —

Depends on D19350

Attachment #9030631 - Attachment is obsolete: true
Assignee

Updated

2 months ago
Keywords: checkin-needed

Comment 9

2 months ago

Pushed by apavel@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/568de07e5c40
Disallow web documents loaded with the SystemPrincipal r=ckerschb
https://hg.mozilla.org/integration/autoland/rev/499f5b4d205d
add tests r=ckerschb

Keywords: checkin-needed
Assignee

Comment 12

2 months ago

Depends on D26680

Assignee

Comment 13

2 months ago

Ah, thanks for the backout. Turns out, that xpcshell tests do not have a profile necessarily.
New revision should be OK, checks whether non-local connections are disabled.

Flags: needinfo?(fbraun)
Assignee

Updated

2 months ago
Keywords: checkin-needed

Comment 15

2 months ago

Pushed by opoprus@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/18f074af5d93
Disallow web documents loaded with the SystemPrincipal r=ckerschb
https://hg.mozilla.org/integration/autoland/rev/59c870edc677
add tests r=ckerschb

Keywords: checkin-needed

Comment 16

2 months ago
bugherder
Status: ASSIGNED → RESOLVED
Closed: 2 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla68
Assignee

Updated

2 months ago
Attachment #9042931 - Attachment is obsolete: true
Assignee

Updated

2 months ago
Attachment #9042932 - Attachment is obsolete: true

Updated

2 months ago
Depends on: 1544204
Regressions: 1544204
Regressions: 1544008
Assignee

Updated

Last month
Blocks: 1552477
You need to log in before you can comment on or make changes to this bug.