Make sure addons/serviceworkers can't intercept TRR requests
Categories
(Core :: Networking: DNS, defect, P2)
Tracking
()
People
(Reporter: valentin, Unassigned)
References
Details
(Keywords: sec-audit, Whiteboard: [necko-triaged][trr])
Currently webextensions can use the webRequest API to intercept HTTP/S requests. Service workers can also intercept requests. If they are able to do this for the TRR connection they could see and modify all DNS requests for any domains.
We need to make sure that we don't call CallOnModifyRequestObservers() and similar methods for the TRR service channel.
Comment 1•6 years ago
|
||
Relates to sec-proxy, but probably doesn't necessarily blocks it.
Updated•6 years ago
|
Comment 2•5 years ago
|
||
(In reply to Honza Bambas (:mayhemer) from comment #1)
Relates to sec-proxy, but probably doesn't necessarily blocks it.
This not a secure proxy bug. In mean time I found out that webExtensions cannot access trr connection anyway because they use systemprincipal. Therefore this is not a bug. For service workers I am not 100% sure but I expect that is fine as well. (The secure proxy webExtension can access trr connections but that is fine too)
Comment 3•5 years ago
|
||
Remove blockage on secure proxy based on comment #2.
Reporter | ||
Comment 4•5 years ago
|
||
Based on comment 2 it seems that we are OK with this?
Updated•8 months ago
|
Description
•