Closed
Bug 1561056
(CVE-2019-17002)
Opened 6 years ago
Closed 5 years ago
No upgrade-insecure-requests for dragged links
Categories
(Core :: DOM: Security, defect, P2)
Core
DOM: Security
Tracking
()
RESOLVED
FIXED
mozilla70
| Tracking | Status | |
|---|---|---|
| firefox70 | --- | fixed |
People
(Reporter: kbrosnan, Assigned: sstreich)
References
()
Details
(Keywords: sec-low, Whiteboard: [domsecurity-active][adv-main70+])
Attachments
(2 files)
STR:
- Visit http://wopr.norad.org/test1.html
- Drag the link onto a tab or into a new tab
Expected: Link is upgraded to https
Actual: Link remains http
Tested on Firefox nightly 69 Linux, ASAN build
|
||
Comment 1•6 years ago
|
||
I'd have expected this to have started working when we fixed CSP to be passed correctly cross-process...
Component: Security → DOM: Security
|
||
Comment 2•6 years ago
|
||
I don't know, sketchy grey area. Isn't dragging the link conceptually like copying it and then pasting it? I'm not sure we always carry the context around in those cases. What does Chrome do here?
ni? Christoph for his opinion.
|
||
Comment 3•6 years ago
|
||
I think we should fix that, in fact I though this is working. In my opinion, dragging and dropping a link is a very similar operation to right-click-open-in-new-tab. Besides, if we are missing the CSP we might be missing other content security infrastructure which is potentially more critical.
Basti, can you take a look at this one please?
Assignee: nobody → streich.mobile
Status: NEW → ASSIGNED
Flags: needinfo?(ckerschb) → needinfo?(streich.mobile)
Priority: -- → P2
Whiteboard: [domsecurity-active]
|
Assignee | |
Comment 4•6 years ago
|
||
|
||
Updated•6 years ago
|
Attachment #9077096 -
Attachment description: Bug 1561056 - Pass CSP on Link-drop → Bug 1561056 - Pass CSP on Link-drop r=ckerschb
|
|
Assignee | |
Updated•5 years ago
|
Flags: needinfo?(streich.mobile)
|
|
Assignee | |
Updated•5 years ago
|
Keywords: checkin-needed
Pushed by ccoroiu@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/a7ac9f64f6ea
Pass CSP on Link-drop r=ckerschb,Gijs,farre
Keywords: checkin-needed
|
||
Comment 6•5 years ago
|
||
Backed out changeset a7ac9f64f6ea (Bug 1561056) for build bustage at widget/gtk/nsDragService.
Failure log: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=261951821&repo=autoland&lineNumber=17529
[task 2019-08-16T06:28:24.638Z] 06:28:24 INFO - make[4]: Entering directory '/builds/worker/workspace/build/src/obj-firefox/netwerk/cache2'
[task 2019-08-16T06:28:24.638Z] 06:28:24 INFO - netwerk/cache2/Unified_cpp_netwerk_cache21.o
[task 2019-08-16T06:28:24.638Z] 06:28:24 INFO - make[4]: Leaving directory '/builds/worker/workspace/build/src/obj-firefox/netwerk/cache2'
[task 2019-08-16T06:28:24.642Z] 06:28:24 INFO - make[4]: Entering directory '/builds/worker/workspace/build/src/obj-firefox/netwerk/protocol/file'
[task 2019-08-16T06:28:24.643Z] 06:28:24 INFO - mkdir -p '.deps/'
[task 2019-08-16T06:28:24.643Z] 06:28:24 INFO - make[4]: Leaving directory '/builds/worker/workspace/build/src/obj-firefox/netwerk/protocol/file'
[task 2019-08-16T06:28:24.643Z] 06:28:24 INFO - make[4]: Entering directory '/builds/worker/workspace/build/src/obj-firefox/netwerk/protocol/file'
[task 2019-08-16T06:28:24.643Z] 06:28:24 INFO - netwerk/protocol/file/Unified_cpp_protocol_file0.o
[task 2019-08-16T06:28:24.643Z] 06:28:24 INFO - make[4]: Leaving directory '/builds/worker/workspace/build/src/obj-firefox/netwerk/protocol/file'
[task 2019-08-16T06:28:25.088Z] 06:28:25 INFO - make[4]: Entering directory '/builds/worker/workspace/build/src/obj-firefox/xpcom/components'
[task 2019-08-16T06:28:25.096Z] 06:28:25 INFO - /builds/worker/fetches/sccache/sccache /builds/worker/fetches/clang/bin/clang++ -o StaticComponents.o -c -I/builds/worker/workspace/build/src/obj-firefox/dist/stl_wrappers -I/builds/worker/workspace/build/src/obj-firefox/dist/system_wrappers -include /builds/worker/workspace/build/src/config/gcc_hidden.h -DDEBUG=1 -DMOZ_LAYOUT_DEBUGGER -DOS_POSIX=1 -DOS_LINUX=1 -DSTATIC_EXPORTABLE_JS_API -DMOZ_HAS_MOZGLUE -DMOZILLA_INTERNAL_API -DIMPL_LIBXUL -I/builds/worker/workspace/build/src/xpcom/components -I/builds/worker/workspace/build/src/obj-firefox/xpcom/components -I/builds/worker/workspace/build/src/obj-firefox/xpcom -I/builds/worker/workspace/build/src/xpcom/base -I/builds/worker/workspace/build/src/xpcom/build -I/builds/worker/workspace/build/src/xpcom/ds -I/builds/worker/workspace/build/src/chrome -I/builds/worker/workspace/build/src/js/xpconnect/loader -I/builds/worker/workspace/build/src/layout/build -I/builds/worker/workspace/build/src/modules/libjar -I/builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/_ipdlheaders -I/builds/worker/workspace/build/src/ipc/chromium/src -I/builds/worker/workspace/build/src/ipc/glue -I/builds/worker/workspace/build/src/obj-firefox/dist/include -I/builds/worker/workspace/build/src/obj-firefox/dist/include/nspr -I/builds/worker/workspace/build/src/obj-firefox/dist/include/nss -fPIC -DMOZILLA_CLIENT -include /builds/worker/workspace/build/src/obj-firefox/mozilla-config.h -Qunused-arguments -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -fstack-protector-strong -Qunused-arguments -Wall -Wbitfield-enum-conversion -Wempty-body -Wignored-qualifiers -Woverloaded-virtual -Wpointer-arith -Wshadow-field-in-constructor-modified -Wsign-compare -Wtype-limits -Wunreachable-code -Wunreachable-code-return -Wwrite-strings -Wno-invalid-offsetof -Wclass-varargs -Wfloat-overflow-conversion -Wfloat-zero-conversion -Wloop-analysis -Wc++1z-compat -Wc++2a-compat -Wcomma -Wimplicit-fallthrough -Werror=non-literal-null-conversion -Wstring-conversion -Wtautological-overlap-compare -Wtautological-unsigned-enum-zero-compare -Wtautological-unsigned-zero-compare -Wno-inline-new-delete -Wno-error=deprecated-declarations -Wno-error=array-bounds -Wno-error=backend-plugin -Wno-error=return-std-move -Wno-error=atomic-alignment -Wformat -Wformat-security -Wno-gnu-zero-variadic-macro-arguments -Wno-unknown-warning-option -Wno-return-type-c-linkage -D_GLIBCXX_USE_CXX11_ABI=0 -fno-sized-deallocation -fno-aligned-new -fcrash-diagnostics-dir=/builds/worker/artifacts -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fno-exceptions -fno-strict-aliasing -fno-rtti -ffunction-sections -fdata-sections -fno-exceptions -fno-math-errno -pthread -pipe -g -Xclang -load -Xclang /builds/worker/workspace/build/src/obj-firefox/build/clang-plugin/libclang-plugin.so -Xclang -add-plugin -Xclang moz-check -Os -fno-omit-frame-pointer -funwind-tables -Werror -I/builds/worker/workspace/build/src/widget/gtk/compat-gtk3 -pthread -I/usr/include/gtk-3.0 -I/usr/include/atk-1.0 -I/usr/include/at-spi2-atk/2.0 -I/usr/include/pango-1.0 -I/usr/include/gio-unix-2.0/ -I/usr/include/cairo -I/usr/include/gdk-pixbuf-2.0 -I/usr/include/glib-2.0 -I/usr/lib/x86_64-linux-gnu/glib-2.0/include -I/usr/include/harfbuzz -I/usr/include/freetype2 -I/usr/include/pixman-1 -I/usr/include/libpng12 -I/usr/include/gtk-3.0/unix-print -MD -MP -MF .deps/StaticComponents.o.pp /builds/worker/workspace/build/src/obj-firefox/xpcom/components/StaticComponents.cpp
[task 2019-08-16T06:28:25.096Z] 06:28:25 INFO - In file included from /builds/worker/workspace/build/src/obj-firefox/xpcom/components/StaticComponents.cpp:282:
[task 2019-08-16T06:28:25.097Z] 06:28:25 ERROR - /builds/worker/workspace/build/src/xpcom/components/../../widget/gtk/nsDragService.h:67:3: error: 'InvokeDragSession' marked 'override' but does not override any member functions
[task 2019-08-16T06:28:25.097Z] 06:28:25 INFO - InvokeDragSession(nsINode* aDOMNode, nsIPrincipal* aPrincipal,
[task 2019-08-16T06:28:25.097Z] 06:28:25 INFO - ^
[task 2019-08-16T06:28:25.098Z] 06:28:25 ERROR - /builds/worker/workspace/build/src/xpcom/components/../../widget/gtk/nsDragService.h:67:3: error: 'nsDragService::InvokeDragSession' hides overloaded virtual function [-Werror,-Woverloaded-virtual]
[task 2019-08-16T06:28:25.098Z] 06:28:25 INFO - /builds/worker/workspace/build/src/obj-firefox/dist/include/nsBaseDragService.h:58:3: note: hidden overloaded virtual function 'nsBaseDragService::InvokeDragSession' declared here: different number of parameters (6 vs 5)
[task 2019-08-16T06:28:25.098Z] 06:28:25 INFO - NS_DECL_NSIDRAGSERVICE
[task 2019-08-16T06:28:25.098Z] 06:28:25 INFO - ^
[task 2019-08-16T06:28:25.098Z] 06:28:25 INFO - /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIDragService.h:114:33: note: expanded from macro 'NS_DECL_NSIDRAGSERVICE'
[task 2019-08-16T06:28:25.098Z] 06:28:25 INFO - MOZ_CAN_RUN_SCRIPT NS_IMETHOD InvokeDragSession(nsINode *aDOMNode, nsIPrincipal *aPrincipal, nsIContentSecurityPolicy *aCsp, nsIArray *aTransferables, uint32_t aActionType, nsContentPolicyType aContentPolicyType) override; \
[task 2019-08-16T06:28:25.099Z] 06:28:25 INFO - ^
[task 2019-08-16T06:28:25.099Z] 06:28:25 INFO - 2 errors generated.
[task 2019-08-16T06:28:25.099Z] 06:28:25 INFO - /builds/worker/workspace/build/src/config/rules.mk:785: recipe for target 'StaticComponents.o' failed
[task 2019-08-16T06:28:25.099Z] 06:28:25 ERROR - make[4]: *** [StaticComponents.o] Error 1
[task 2019-08-16T06:28:25.099Z] 06:28:25 INFO - make[4]: Leaving directory '/builds/worker/workspace/build/src/obj-firefox/xpcom/components'
[task 2019-08-16T06:28:25.099Z] 06:28:25 INFO - /builds/worker/workspace/build/src/config/recurse.mk:74: recipe for target 'xpcom/components/target' failed
[task 2019-08-16T06:28:25.100Z] 06:28:25 ERROR - make[3]: *** [xpcom/components/target] Error 2
[task 2019-08-16T06:28:25.100Z] 06:28:25 INFO - make[3]: *** Waiting for unfinished jobs....
[task 2019-08-16T06:28:25.545Z] 06:28:25 INFO - make[4]: Entering directory '/builds/worker/workspace/build/src/obj-firefox/netwerk/cache2'
[task 2019-08-16T06:28:25.549Z] 06:28:25 INFO - /builds/worker/fetches/sccache/sccache /builds/worker/fetches/clang/bin/clang++ -o Unified_cpp_netwerk_cache21.o -c -I/builds/worker/workspace/build/src/obj-firefox/dist/stl_wrappers -I/builds/worker/workspace/build/src/obj-firefox/dist/system_wrappers -include /builds/worker/workspace/build/src/config/gcc_hidden.h -DDEBUG=1 -DSTATIC_EXPORTABLE_JS_API -DMOZ_HAS_MOZGLUE -DMOZILLA_INTERNAL_API -DIMPL_LIBXUL -I/builds/worker/workspace/build/src/netwerk/cache2 -I/builds/worker/workspace/build/src/obj-firefox/netwerk/cache2 -I/builds/worker/workspace/build/src/netwerk/base -I/builds/worker/workspace/build/src/netwerk/cache -I/builds/worker/workspace/build/src/obj-firefox/dist/include -I/builds/worker/workspace/build/src/obj-firefox/dist/include/nspr -I/builds/worker/workspace/build/src/obj-firefox/dist/include/nss -fPIC -DMOZILLA_CLIENT -include /builds/worker/workspace/build/src/obj-firefox/mozilla-config.h -Qunused-arguments -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -fstack-protector-strong -Qunused-arguments -Wall -Wbitfield-enum-conversion -Wempty-body -Wignored-qualifiers -Woverloaded-virtual -Wpointer-arith -Wshadow-field-in-constructor-modified -Wsign-compare -Wtype-limits -Wunreachable-code -Wunreachable-code-return -Wwrite-strings -Wno-invalid-offsetof -Wclass-varargs -Wfloat-overflow-conversion -Wfloat-zero-conversion -Wloop-analysis -Wc++1z-compat -Wc++2a-compat -Wcomma -Wimplicit-fallthrough -Werror=non-literal-null-conversion -Wstring-conversion -Wtautological-overlap-compare -Wtautological-unsigned-enum-zero-compare -Wtautological-unsigned-zero-compare -Wno-inline-new-delete -Wno-error=deprecated-declarations -Wno-error=array-bounds -Wno-error=backend-plugin -Wno-error=return-std-move -Wno-error=atomic-alignment -Wformat -Wformat-security -Wno-gnu-zero-variadic-macro-arguments -Wno-unknown-warning-option -Wno-return-type-c-linkage -D_GLIBCXX_USE_CXX11_ABI=0 -fno-sized-deallocation -fno-aligned-new -fcrash-diagnostics-dir=/builds/worker/artifacts -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fno-exceptions -fno-strict-aliasing -fno-rtti -ffunction-sections -fdata-sections -fno-exceptions -fno-math-errno -pthread -pipe -g -Xclang -load -Xclang /builds/worker/workspace/build/src/obj-firefox/build/clang-plugin/libclang-plugin.so -Xclang -add-plugin -Xclang moz-check -Os -fno-omit-frame-pointer -funwind-tables -Werror -Wno-error=shadow -MD -MP -MF .deps/Unified_cpp_netwerk_cache21.o.pp /builds/worker/workspace/build/src/obj-firefox/netwerk/cache2/Unified_cpp_netwerk_cache21.cpp
[task 2019-08-16T06:28:25.549Z] 06:28:25 INFO - make[4]: Leaving directory '/builds/worker/workspace/build/src/obj-firefox/netwerk/cache2'
[task 2019-08-16T06:28:37.284Z] 06:28:37 INFO - make[4]: Entering directory '/builds/worker/workspace/build/src/obj-firefox/intl/strres'
[task 2019-08-16T06:28:37.286Z] 06:28:37 INFO - /builds/worker/fetches/sccache/sccache /builds/worker/fetches/clang/bin/clang++ -o Unified_cpp_intl_strres0.o -c -I/builds/worker/workspace/build/src/obj-firefox/dist/stl_wrappers -I/builds/worker/workspace/build/src/obj-firefox/dist/system_wrappers -include /builds/worker/workspace/build/src/config/gcc_hidden.h -DDEBUG=1 -DOS_POSIX=1 -DOS_LINUX=1 -DSTATIC_EXPORTABLE_JS_API -DMOZ_HAS_MOZGLUE -DMOZILLA_INTERNAL_API -DIMPL_LIBXUL -I/builds/worker/workspace/build/src/intl/strres -I/builds/worker/workspace/build/src/obj-firefox/intl/strres -I/builds/worker/workspace/build/src/xpcom/ds -I/builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/_ipdlheaders -I/builds/worker/workspace/build/src/ipc/chromium/src -I/builds/worker/workspace/build/src/ipc/glue -I/builds/worker/workspace/build/src/obj-firefox/dist/include -I/builds/worker/workspace/build/src/obj-firefox/dist/include/nspr -I/builds/worker/workspace/build/src/obj-firefox/dist/include/nss -fPIC -DMOZILLA_CLIENT -include /builds/worker/workspace/build/src/obj-firefox/mozilla-config.h -Qunused-arguments -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -fstack-protector-strong -Qunused-arguments -Wall -Wbitfield-enum-conversion -Wempty-body -Wignored-qualifiers -Woverloaded-virtual -Wpointer-arith -Wshadow-field-in-constructor-modified -Wsign-compare -Wtype-limits -Wunreachable-code -Wunreachable-code-return -Wwrite-strings -Wno-invalid-offsetof -Wclass-varargs -Wfloat-overflow-conversion -Wfloat-zero-conversion -Wloop-analysis -Wc++1z-compat -Wc++2a-compat -Wcomma -Wimplicit-fallthrough -Werror=non-literal-null-conversion -Wstring-conversion -Wtautological-overlap-compare -Wtautological-unsigned-enum-zero-compare -Wtautological-unsigned-zero-compare -Wno-inline-new-delete -Wno-error=deprecated-declarations -Wno-error=array-bounds -Wno-error=backend-plugin -Wno-error=return-std-move -Wno-error=atomic-alignment -Wformat -Wformat-security -Wno-gnu-zero-variadic-macro-arguments -Wno-unknown-warning-option -Wno-return-type-c-linkage -D_GLIBCXX_USE_CXX11_ABI=0 -fno-sized-deallocation -fno-aligned-new -fcrash-diagnostics-dir=/builds/worker/artifacts -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fno-exceptions -fno-strict-aliasing -fno-rtti -ffunction-sections -fdata-sections -fno-exceptions -fno-math-errno -pthread -pipe -g -Xclang -load -Xclang /builds/worker/workspace/build/src/obj-firefox/build/clang-plugin/libclang-plugin.so -Xclang -add-plugin -Xclang moz-check -Os -fno-omit-frame-pointer -funwind-tables -Werror -Wno-error=shadow -MD -MP -MF .deps/Unified_cpp_intl_strres0.o.pp /builds/worker/workspace/build/src/obj-firefox/intl/strres/Unified_cpp_intl_strres0.cpp
[task 2019-08-16T06:28:37.286Z] 06:28:37 INFO - make[4]: Leaving directory '/builds/worker/workspace/build/src/obj-firefox/intl/strres'
[task 2019-08-16T06:28:40.502Z] 06:28:40 INFO - make[4]: Entering directory '/builds/worker/workspace/build/src/obj-firefox/netwerk/cookie'
Flags: needinfo?(streich.mobile)
|
|
Assignee | |
Comment 7•5 years ago
|
||
Fixed the Bustage, should work now :)
Flags: needinfo?(streich.mobile)
Keywords: checkin-needed
Pushed by cbrindusan@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/544bb8b63a3e
Pass CSP on Link-drop r=ckerschb,Gijs,farre
Keywords: checkin-needed
|
||
Comment 9•5 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox70:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla70
|
||
Updated•5 years ago
|
QA Whiteboard: [good first verify]
|
||
Updated•5 years ago
|
Whiteboard: [domsecurity-active] → [domsecurity-active][adv-main70+]
|
|
||
Comment 10•5 years ago
|
||
|
|
||
Updated•5 years ago
|
Alias: CVE-2019-17002
You need to log in
before you can comment on or make changes to this bug.
Description
•