Closed Bug 1521794 Opened 5 years ago Closed 5 years ago

Disallow web documents loaded from the parent process

Categories

(Core :: DOM: Security, enhancement, P2)

Product:
Core
Component:
DOM: Security
Type:
enhancement

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1560178

People

(Reporter: freddy, Assigned: freddy)

Details

(Keywords: sec-want, Whiteboard: [domsecurity-active])

Attachments

(3 files)

Bug 1521794: No remote documents loaded in parent process
47 bytes, text/x-phabricator-request
Details | Review
Bug 1521794: Exception for marionette tests
47 bytes, text/x-phabricator-request
Details | Review
Bug 1521794: Exception for webdriver tests
47 bytes, text/x-phabricator-request
Details | Review

This is a potential follow-up of bug 1513445:
One could disallow that documents are loaded from the parent process

Status: NEW → ASSIGNED
Priority: -- → P2
Whiteboard: [domsecurity-active]
Keywords: sec-want

Attaching wip patch for visibility, not ready for review yet.

Pushed to try to admire all the failures: https://treeherder.mozilla.org/#/jobs?repo=try&revision=24eb257311e8f645b96a3e59103ad03c784b959d

Looks like we need to either find an additional carve-out for WebDriver & Marionette tests or teach them to flip the "MOZ_DISABLE_NONLOCAL_CONNECTIONS" variable.

They all talk to http://127.0.0.1, so it's not like the document being loaded is technically "remote". But doing a host/ip check in the assertion seems not advisable if it can benefit from the existing carve-out.

Another attempt. Let's hope I found the right place to set the MOZ_DISABLE_NONLOCAL_CONNECTIONS environment variable.
https://treeherder.mozilla.org/#/jobs?repo=try&revision=95d83a96967c3298d5324c73f9a8ccc61d95aff1

Depends on D26703

Depends on D26875

Why in particular are you checking for remote loads in the parent process vs. on the system principal in all processes? :)

The System Principal has privileges beyond origins regardless of the process type. So the other bug (bug 1513445) was about the Chrome/Content boundary.

This bug is about the Child/Parent boundary. Similar check (so I hoped), but different security boundary. Does that make sense?

This is btw blocked on required infrastructure in how we deserialize loadInfo in the parent, so we can figure out which process type a load comes from. ckerschb intends to file a bug and mark it as blocking soon.

Marking this new, to show the work has not started yet (waiting for ckerschb to file his blocking bug nudge)

Status: ASSIGNED → NEW

(In reply to Frederik Braun [:freddyb] (PTO July 8th to 29th) from comment #8)

The System Principal has privileges beyond origins regardless of the process type. So the other bug (bug 1513445) was about the Chrome/Content boundary.

This bug is about the Child/Parent boundary. Similar check (so I hoped), but different security boundary. Does that make sense?

Oh, I see, I forgot about bug 1513445, thanks!

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: