Closed Bug 1544011 Opened 5 years ago Closed 4 years ago

Discovery pane should not load discovery.addons.mozilla.org using the system principal

Categories

(Toolkit :: Add-ons Manager, defect, P3)

Product:
Toolkit
Component:
Add-ons Manager
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla75
Tracking Flags:
Tracking Status
firefox75 --- fixed

People

(Reporter: freddy, Assigned: freddy)

References

Details

(Keywords: sec-want, Whiteboard: [adv-main75-])

Attachments

(1 file)

Bug 1544011 - remove exception that SystemPrincipal may open discovery pane r=ckerschb
47 bytes, text/x-phabricator-request
Details | Review

bug 1513445 disallows loading remote documents (i.e., over HTTPS/HTTP/FTP) with the systemprincipal in debug builds.

It will get an exception in bug 1544008, so I the feature still works. But I also believe that we should not load documents with the systemprincipal.

Depends on: 1540173
Priority: -- → P1

The relevant code can be removed when we rip out the XUL about:addons (specifically the remote discopane part of it that is activated by setting the extensions.htmlaboutaddons.discover.enabled=false pref).

Priority: P1 → P3
See Also: → 1565187

Mark, I think the code at https://searchfox.org/mozilla-central/rev/96f1457323cc598a36f5701f8e67aedaf97acfcf/dom/security/nsContentSecurityManager.cpp#828-839 can go away now (now that bug 1337627 is fixed in 73), right? We no longer load that as a document, and I also don't think the pref is used anymore, so probably most of what's at https://searchfox.org/mozilla-central/search?q=extensions.webservice.discoverURL can also be removed?

Flags: needinfo?(mstriemer)

Yes, that pref is no longer being used. Looks like all references to the pref can be removed.

The const defined in head.js only leads to browser_history_navigation.js. That file can have the MAIN_URL const removed along with the url argument from the is_in_discover helper. I can file a follow up for that, just not setting the pref should unblock this.

Flags: needinfo?(mstriemer)

Taking this one to remove the exception for the discovery pane URL, right now. This helps me as it minimizes unexpected conflicts with bug 1613609, that I'm working on in parallel.

Mark, please go ahead and file the follow-up to remove other mentions of extensions.webservice.discoverURL as laid out in comment 4.

Assignee: nobody → fbraun
Status: NEW → ASSIGNED

(In reply to Frederik Braun [:freddy] from comment #5)

Mark, please go ahead and file the follow-up to remove other mentions of extensions.webservice.discoverURL as laid out in comment 4.

Flags: needinfo?(mstriemer)
Pushed by nbeleuzu@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/9356ffda1a9c
remove exception that SystemPrincipal may open discovery pane r=ckerschb

Filed bug 1620438.

Flags: needinfo?(mstriemer)

https://hg.mozilla.org/mozilla-central/rev/9356ffda1a9c

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox75: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla75
Whiteboard: [adv-main75-]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: