Closed Bug 1543502 Opened 6 years ago Closed 5 years ago

Make sure addons/serviceworkers can't intercept TRR requests

Categories

(Core :: Networking: DNS, defect, P2)

defect

Tracking

()

RESOLVED INVALID

People

(Reporter: valentin, Unassigned)

References

Details

(Keywords: sec-audit, Whiteboard: [necko-triaged][trr])

Currently webextensions can use the webRequest API to intercept HTTP/S requests. Service workers can also intercept requests. If they are able to do this for the TRR connection they could see and modify all DNS requests for any domains.

We need to make sure that we don't call CallOnModifyRequestObservers() and similar methods for the TRR service channel.

Relates to sec-proxy, but probably doesn't necessarily blocks it.

Blocks: secure-proxy
Priority: -- → P2
Keywords: sec-audit

(In reply to Honza Bambas (:mayhemer) from comment #1)

Relates to sec-proxy, but probably doesn't necessarily blocks it.

This not a secure proxy bug. In mean time I found out that webExtensions cannot access trr connection anyway because they use systemprincipal. Therefore this is not a bug. For service workers I am not 100% sure but I expect that is fine as well. (The secure proxy webExtension can access trr connections but that is fine too)

Remove blockage on secure proxy based on comment #2.

No longer blocks: secure-proxy

Based on comment 2 it seems that we are OK with this?

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → INVALID
Group: network-core-security
You need to log in before you can comment on or make changes to this bug.