Closed
Bug 1525006
Opened 5 years ago
Closed 5 years ago
Add a new internal ContentPolicyType for ES6 modules
Categories
(Core :: DOM: Security, enhancement, P2)
Core
DOM: Security
Tracking
()
RESOLVED
FIXED
mozilla67
Tracking | Status | |
---|---|---|
firefox67 | --- | fixed |
People
(Reporter: evilpie, Assigned: evilpie)
References
(Blocks 1 open bug)
Details
(Whiteboard: [domsecurity-active])
Attachments
(2 files)
ES6 modules already do a strict JavaScript MIME type check. However that check happens in ScriptLoader, which is the content process. In a post-Spectre world this is insecure, because the resource would already be loaded into the content process. To prevent this we need to block at the nsHTTPChannel level in the parent.
Aside: This is of course sort of pointless as long as a normal <script> still allows almost any MIME type, but I still think this is a useful step.
Comment 1•5 years ago
|
||
Yeah, that makes sense to me - thanks!
Status: NEW → ASSIGNED
Priority: -- → P2
Whiteboard: [domsecurity-active]
Assignee | ||
Comment 2•5 years ago
|
||
Assignee | ||
Comment 3•5 years ago
|
||
Depends on D19269
Pushed by evilpies@gmail.com: https://hg.mozilla.org/integration/autoland/rev/64ba51db91e8 Add a new internal ContentPolicyType for ES6 modules. r=ckerschb https://hg.mozilla.org/integration/autoland/rev/67ac511f5c6c Block ES6 modules with wrong MIME type r=ckerschb
Comment 5•5 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/64ba51db91e8
https://hg.mozilla.org/mozilla-central/rev/67ac511f5c6c
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox67:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla67
You need to log in
before you can comment on or make changes to this bug.
Description
•