Closed Bug 1525006 Opened 5 years ago Closed 5 years ago

Add a new internal ContentPolicyType for ES6 modules

Categories

(Core :: DOM: Security, enhancement, P2)

Product:
Core
Component:
DOM: Security
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla67
Tracking Flags:
Tracking Status
firefox67 --- fixed

People

(Reporter: evilpie, Assigned: evilpie)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-active])

Attachments

(2 files)

Bug 1525006 - Add a new internal ContentPolicyType for ES6 modules. r?ckerschb!,jonco
47 bytes, text/x-phabricator-request
Details | Review
Bug 1525006 - Block ES6 modules with wrong MIME type r?ckerschb!,jonco
47 bytes, text/x-phabricator-request
Details | Review

ES6 modules already do a strict JavaScript MIME type check. However that check happens in ScriptLoader, which is the content process. In a post-Spectre world this is insecure, because the resource would already be loaded into the content process. To prevent this we need to block at the nsHTTPChannel level in the parent.

Aside: This is of course sort of pointless as long as a normal <script> still allows almost any MIME type, but I still think this is a useful step.

Yeah, that makes sense to me - thanks!

Status: NEW → ASSIGNED
Priority: -- → P2
Whiteboard: [domsecurity-active]
Pushed by evilpies@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/64ba51db91e8
Add a new internal ContentPolicyType for ES6 modules. r=ckerschb
https://hg.mozilla.org/integration/autoland/rev/67ac511f5c6c
Block ES6 modules with wrong MIME type r=ckerschb

https://hg.mozilla.org/mozilla-central/rev/64ba51db91e8
https://hg.mozilla.org/mozilla-central/rev/67ac511f5c6c

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox67: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla67
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: