Disallow web documents loaded from the parent process
Categories
(Core :: DOM: Security, enhancement, P2)
Tracking
()
People
(Reporter: freddy, Assigned: freddy)
Details
(Keywords: sec-want, Whiteboard: [domsecurity-active])
Attachments
(3 files)
This is a potential follow-up of bug 1513445:
One could disallow that documents are loaded from the parent process
Updated•5 years ago
|
Assignee | ||
Comment 1•5 years ago
|
||
Assignee | ||
Comment 2•5 years ago
|
||
Attaching wip patch for visibility, not ready for review yet.
Pushed to try to admire all the failures: https://treeherder.mozilla.org/#/jobs?repo=try&revision=24eb257311e8f645b96a3e59103ad03c784b959d
Assignee | ||
Comment 3•5 years ago
|
||
Looks like we need to either find an additional carve-out for WebDriver & Marionette tests or teach them to flip the "MOZ_DISABLE_NONLOCAL_CONNECTIONS" variable.
They all talk to http://127.0.0.1, so it's not like the document being loaded is technically "remote". But doing a host/ip check in the assertion seems not advisable if it can benefit from the existing carve-out.
Assignee | ||
Comment 4•5 years ago
|
||
Another attempt. Let's hope I found the right place to set the MOZ_DISABLE_NONLOCAL_CONNECTIONS
environment variable.
https://treeherder.mozilla.org/#/jobs?repo=try&revision=95d83a96967c3298d5324c73f9a8ccc61d95aff1
Assignee | ||
Comment 5•5 years ago
|
||
Depends on D26703
Assignee | ||
Comment 6•5 years ago
|
||
Depends on D26875
Comment 7•5 years ago
|
||
Why in particular are you checking for remote loads in the parent process vs. on the system principal in all processes? :)
Assignee | ||
Comment 8•5 years ago
|
||
The System Principal has privileges beyond origins regardless of the process type. So the other bug (bug 1513445) was about the Chrome/Content boundary.
This bug is about the Child/Parent boundary. Similar check (so I hoped), but different security boundary. Does that make sense?
Assignee | ||
Comment 9•5 years ago
|
||
This is btw blocked on required infrastructure in how we deserialize loadInfo in the parent, so we can figure out which process type a load comes from. ckerschb intends to file a bug and mark it as blocking soon.
Assignee | ||
Comment 10•5 years ago
|
||
Marking this new, to show the work has not started yet (waiting for ckerschb to file his blocking bug nudge)
Comment 11•5 years ago
|
||
(In reply to Frederik Braun [:freddyb] (PTO July 8th to 29th) from comment #8)
The System Principal has privileges beyond origins regardless of the process type. So the other bug (bug 1513445) was about the Chrome/Content boundary.
This bug is about the Child/Parent boundary. Similar check (so I hoped), but different security boundary. Does that make sense?
Oh, I see, I forgot about bug 1513445, thanks!
Assignee | ||
Updated•5 years ago
|
Description
•