Closed Bug 1525006 Opened 1 year ago Closed 1 year ago

Add a new internal ContentPolicyType for ES6 modules

Categories

(Core :: DOM: Security, enhancement, P2)

enhancement

Tracking

()

RESOLVED FIXED
mozilla67
Tracking Status
firefox67 --- fixed

People

(Reporter: evilpie, Assigned: evilpie)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-active])

Attachments

(2 files)

ES6 modules already do a strict JavaScript MIME type check. However that check happens in ScriptLoader, which is the content process. In a post-Spectre world this is insecure, because the resource would already be loaded into the content process. To prevent this we need to block at the nsHTTPChannel level in the parent.

Aside: This is of course sort of pointless as long as a normal <script> still allows almost any MIME type, but I still think this is a useful step.

Yeah, that makes sense to me - thanks!

Status: NEW → ASSIGNED
Priority: -- → P2
Whiteboard: [domsecurity-active]
Pushed by evilpies@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/64ba51db91e8
Add a new internal ContentPolicyType for ES6 modules. r=ckerschb
https://hg.mozilla.org/integration/autoland/rev/67ac511f5c6c
Block ES6 modules with wrong MIME type r=ckerschb
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla67
You need to log in before you can comment on or make changes to this bug.