Closed Bug 1543579 Opened 2 years ago Closed 1 year ago

Follow-up: Disallow http(s) resources to be loaded into system privileged documents for release builds

Categories

(Core :: DOM: Security, defect, P2)

defect

Tracking

()

RESOLVED FIXED
mozilla73
Tracking Status
firefox73 --- fixed

People

(Reporter: freddy, Assigned: freddy)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-active][ready to land])

Attachments

(1 file)

+++ This bug was initially created as a clone of Bug #1513445 +++

We should turn the debug assertion into a release assertion after the next merge, May 15th.

FWIW, we disallowed in nightly/early beta through bug 1552477. We will track this for a while until we make a decision.

I think the blocking bug for this was incorrect...

Blocks: 1513445
No longer blocks: 1305331
See Also: → 1305331

The assertion is enabled for nightly & early beta builds.

#ifdef EARLY_BETA_OR_EARLIER
  AssertSystemPrincipalMustNotLoadRemoteDocuments(aChannel);
#endif

No additional crashes according to this search for assertion failures in doContentSecurityCheck.

Are you OK with removing the ifdef and letting this ride the trains?

Flags: needinfo?(ckerschb)
Summary: Follow-up: Disallow http(s) resources to be loaded into system privileged documents for non-debug builds → Follow-up: Disallow http(s) resources to be loaded into system privileged documents for release builds
Attachment #9110472 - Attachment description: Bug 1543579 - Disallow SystemPrincipal for Remote documents on all channels r=ckerschb → Bug 1543579 - Disallow SystemPrincipal for Remote documents on all channels r=ckerschb,tjr

(In reply to Frederik Braun [:freddyb] from comment #3)

Are you OK with removing the ifdef and letting this ride the trains?

Yes, already accepted the patch :-)

Flags: needinfo?(ckerschb)
Whiteboard: [domsecurity-active] → [domsecurity-active][ready to land after end of soft-freeze on Dec 2nd]
Whiteboard: [domsecurity-active][ready to land after end of soft-freeze on Dec 2nd] → [domsecurity-active][ready to land]
Pushed by apavel@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/60cf9b754257
Disallow SystemPrincipal for Remote documents on all channels r=ckerschb,tjr
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla73
Duplicate of this bug: 1607673
You need to log in before you can comment on or make changes to this bug.