Closed Bug 1513445 Opened 3 years ago Closed 2 years ago

Disallow http(s) resources to be loaded into system privileged documents

Categories

(Core :: DOM: Security, enhancement, P2)

Product:
Core
Component:
DOM: Security
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla68
Tracking Flags:
Tracking Status
firefox68 --- fixed

People

(Reporter: freddy, Assigned: freddy)

References

(Depends on 2 open bugs, Regressed 1 open bug)

Details

(Whiteboard: [domsecurity-active])

Attachments

(2 files, 3 obsolete files)

Bug 1513445 - Disallow web documents loaded with the SystemPrincipal r=ckerschb
47 bytes, text/x-phabricator-request
Details | Review
Bug 1513445: add tests r=ckerschb
47 bytes, text/x-phabricator-request
Details | Review 
We should not allow top-level documents or subdocuments loaded with the SystemPrincipal to live on the web.
Blocks: 1305331
Bug 1513445 - Disallow web documents loaded with the SystemPrincipal
Pushed to try with the "!xpc::IsInAutomation()" case commented out - otherwise the new codepath is never executed.
https://treeherder.mozilla.org/#/jobs?repo=try&revision=0937c0a71b0fa9c3c8d7a712dda1887c1f4cb74b
Assigning to you Freddy since you already are working on a patch...
Assignee: nobody → ckerschb
Status: NEW → ASSIGNED
Priority: -- → P2
Whiteboard: [domsecurity-active]
Summary: Disallow web documents loaded with the SystemPrincipal → Disallow http(s) resources to be loaded into system privileged documents
Sorry, I meant to assign this one to you Freddy, not to myself (see comment 5 :-) ).
Assignee: ckerschb → fbraun
Attached file Bug 1513445: add tests (obsolete) —

Depends on D19350

Attachment #9030631 - Attachment is obsolete: true
Keywords: checkin-needed

Pushed by apavel@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/568de07e5c40
Disallow web documents loaded with the SystemPrincipal r=ckerschb
https://hg.mozilla.org/integration/autoland/rev/499f5b4d205d
add tests r=ckerschb

Keywords: checkin-needed

Depends on D26680

Ah, thanks for the backout. Turns out, that xpcshell tests do not have a profile necessarily.
New revision should be OK, checks whether non-local connections are disabled.

Flags: needinfo?(fbraun)
Keywords: checkin-needed

Pushed by opoprus@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/18f074af5d93
Disallow web documents loaded with the SystemPrincipal r=ckerschb
https://hg.mozilla.org/integration/autoland/rev/59c870edc677
add tests r=ckerschb

Keywords: checkin-needed

https://hg.mozilla.org/mozilla-central/rev/18f074af5d93
https://hg.mozilla.org/mozilla-central/rev/59c870edc677

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox68: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla68
Attachment #9042931 - Attachment is obsolete: true
Attachment #9042932 - Attachment is obsolete: true
Depends on: 1544204
Regressions: 1544204
Regressions: 1544008
Blocks: 1552477
Depends on: 1561310
No longer depends on: 1561310
Depends on: 1561318
Depends on: 1573515
You need to log in before you can comment on or make changes to this bug.