Closed Bug 1561056 (CVE-2019-17002) Opened 1 year ago Closed 1 year ago

No upgrade-insecure-requests for dragged links

Categories

(Core :: DOM: Security, defect, P2)

defect

Tracking

()

RESOLVED FIXED
mozilla70
Tracking Status
firefox70 --- fixed

People

(Reporter: kbrosnan, Assigned: sstreich)

References

()

Details

(Keywords: sec-low, Whiteboard: [domsecurity-active][adv-main70+])

Attachments

(2 files)

STR:

Expected: Link is upgraded to https

Actual: Link remains http

Tested on Firefox nightly 69 Linux, ASAN build

I'd have expected this to have started working when we fixed CSP to be passed correctly cross-process...

Component: Security → DOM: Security

I don't know, sketchy grey area. Isn't dragging the link conceptually like copying it and then pasting it? I'm not sure we always carry the context around in those cases. What does Chrome do here?

ni? Christoph for his opinion.

Group: core-security
Flags: needinfo?(ckerschb)
Keywords: sec-low

I think we should fix that, in fact I though this is working. In my opinion, dragging and dropping a link is a very similar operation to right-click-open-in-new-tab. Besides, if we are missing the CSP we might be missing other content security infrastructure which is potentially more critical.

Basti, can you take a look at this one please?

Assignee: nobody → streich.mobile
Status: NEW → ASSIGNED
Flags: needinfo?(ckerschb) → needinfo?(streich.mobile)
Priority: -- → P2
Whiteboard: [domsecurity-active]
Attachment #9077096 - Attachment description: Bug 1561056 - Pass CSP on Link-drop → Bug 1561056 - Pass CSP on Link-drop r=ckerschb
Flags: needinfo?(streich.mobile)
Keywords: checkin-needed

Pushed by ccoroiu@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/a7ac9f64f6ea
Pass CSP on Link-drop r=ckerschb,Gijs,farre

Keywords: checkin-needed

Backed out changeset a7ac9f64f6ea (Bug 1561056) for build bustage at widget/gtk/nsDragService.

Push with failure: https://treeherder.mozilla.org/#/jobs?repo=autoland&resultStatus=testfailed%2Cbusted%2Cexception&classifiedState=unclassified&revision=3231c97680c749d65e53d63929c7c364b02e22b8

Failure log: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=261951821&repo=autoland&lineNumber=17529

Backout link: https://treeherder.mozilla.org/#/jobs?repo=autoland&resultStatus=testfailed%2Cbusted%2Cexception&classifiedState=unclassified&revision=0c769cff316532f09812f8315e97787e7cc67131

[task 2019-08-16T06:28:24.638Z] 06:28:24     INFO -  make[4]: Entering directory '/builds/worker/workspace/build/src/obj-firefox/netwerk/cache2'
[task 2019-08-16T06:28:24.638Z] 06:28:24     INFO -  netwerk/cache2/Unified_cpp_netwerk_cache21.o
[task 2019-08-16T06:28:24.638Z] 06:28:24     INFO -  make[4]: Leaving directory '/builds/worker/workspace/build/src/obj-firefox/netwerk/cache2'
[task 2019-08-16T06:28:24.642Z] 06:28:24     INFO -  make[4]: Entering directory '/builds/worker/workspace/build/src/obj-firefox/netwerk/protocol/file'
[task 2019-08-16T06:28:24.643Z] 06:28:24     INFO -  mkdir -p '.deps/'
[task 2019-08-16T06:28:24.643Z] 06:28:24     INFO -  make[4]: Leaving directory '/builds/worker/workspace/build/src/obj-firefox/netwerk/protocol/file'
[task 2019-08-16T06:28:24.643Z] 06:28:24     INFO -  make[4]: Entering directory '/builds/worker/workspace/build/src/obj-firefox/netwerk/protocol/file'
[task 2019-08-16T06:28:24.643Z] 06:28:24     INFO -  netwerk/protocol/file/Unified_cpp_protocol_file0.o
[task 2019-08-16T06:28:24.643Z] 06:28:24     INFO -  make[4]: Leaving directory '/builds/worker/workspace/build/src/obj-firefox/netwerk/protocol/file'
[task 2019-08-16T06:28:25.088Z] 06:28:25     INFO -  make[4]: Entering directory '/builds/worker/workspace/build/src/obj-firefox/xpcom/components'
[task 2019-08-16T06:28:25.096Z] 06:28:25     INFO -  /builds/worker/fetches/sccache/sccache /builds/worker/fetches/clang/bin/clang++ -o StaticComponents.o -c  -I/builds/worker/workspace/build/src/obj-firefox/dist/stl_wrappers -I/builds/worker/workspace/build/src/obj-firefox/dist/system_wrappers -include /builds/worker/workspace/build/src/config/gcc_hidden.h -DDEBUG=1 -DMOZ_LAYOUT_DEBUGGER -DOS_POSIX=1 -DOS_LINUX=1 -DSTATIC_EXPORTABLE_JS_API -DMOZ_HAS_MOZGLUE -DMOZILLA_INTERNAL_API -DIMPL_LIBXUL -I/builds/worker/workspace/build/src/xpcom/components -I/builds/worker/workspace/build/src/obj-firefox/xpcom/components -I/builds/worker/workspace/build/src/obj-firefox/xpcom -I/builds/worker/workspace/build/src/xpcom/base -I/builds/worker/workspace/build/src/xpcom/build -I/builds/worker/workspace/build/src/xpcom/ds -I/builds/worker/workspace/build/src/chrome -I/builds/worker/workspace/build/src/js/xpconnect/loader -I/builds/worker/workspace/build/src/layout/build -I/builds/worker/workspace/build/src/modules/libjar -I/builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/_ipdlheaders -I/builds/worker/workspace/build/src/ipc/chromium/src -I/builds/worker/workspace/build/src/ipc/glue -I/builds/worker/workspace/build/src/obj-firefox/dist/include -I/builds/worker/workspace/build/src/obj-firefox/dist/include/nspr -I/builds/worker/workspace/build/src/obj-firefox/dist/include/nss -fPIC -DMOZILLA_CLIENT -include /builds/worker/workspace/build/src/obj-firefox/mozilla-config.h -Qunused-arguments -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -fstack-protector-strong -Qunused-arguments -Wall -Wbitfield-enum-conversion -Wempty-body -Wignored-qualifiers -Woverloaded-virtual -Wpointer-arith -Wshadow-field-in-constructor-modified -Wsign-compare -Wtype-limits -Wunreachable-code -Wunreachable-code-return -Wwrite-strings -Wno-invalid-offsetof -Wclass-varargs -Wfloat-overflow-conversion -Wfloat-zero-conversion -Wloop-analysis -Wc++1z-compat -Wc++2a-compat -Wcomma -Wimplicit-fallthrough -Werror=non-literal-null-conversion -Wstring-conversion -Wtautological-overlap-compare -Wtautological-unsigned-enum-zero-compare -Wtautological-unsigned-zero-compare -Wno-inline-new-delete -Wno-error=deprecated-declarations -Wno-error=array-bounds -Wno-error=backend-plugin -Wno-error=return-std-move -Wno-error=atomic-alignment -Wformat -Wformat-security -Wno-gnu-zero-variadic-macro-arguments -Wno-unknown-warning-option -Wno-return-type-c-linkage -D_GLIBCXX_USE_CXX11_ABI=0 -fno-sized-deallocation -fno-aligned-new -fcrash-diagnostics-dir=/builds/worker/artifacts -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fno-exceptions -fno-strict-aliasing -fno-rtti -ffunction-sections -fdata-sections -fno-exceptions -fno-math-errno -pthread -pipe -g -Xclang -load -Xclang /builds/worker/workspace/build/src/obj-firefox/build/clang-plugin/libclang-plugin.so -Xclang -add-plugin -Xclang moz-check -Os -fno-omit-frame-pointer -funwind-tables -Werror -I/builds/worker/workspace/build/src/widget/gtk/compat-gtk3 -pthread -I/usr/include/gtk-3.0 -I/usr/include/atk-1.0 -I/usr/include/at-spi2-atk/2.0 -I/usr/include/pango-1.0 -I/usr/include/gio-unix-2.0/ -I/usr/include/cairo -I/usr/include/gdk-pixbuf-2.0 -I/usr/include/glib-2.0 -I/usr/lib/x86_64-linux-gnu/glib-2.0/include -I/usr/include/harfbuzz -I/usr/include/freetype2 -I/usr/include/pixman-1 -I/usr/include/libpng12 -I/usr/include/gtk-3.0/unix-print  -MD -MP -MF .deps/StaticComponents.o.pp   /builds/worker/workspace/build/src/obj-firefox/xpcom/components/StaticComponents.cpp
[task 2019-08-16T06:28:25.096Z] 06:28:25     INFO -  In file included from /builds/worker/workspace/build/src/obj-firefox/xpcom/components/StaticComponents.cpp:282:
[task 2019-08-16T06:28:25.097Z] 06:28:25    ERROR -  /builds/worker/workspace/build/src/xpcom/components/../../widget/gtk/nsDragService.h:67:3: error: 'InvokeDragSession' marked 'override' but does not override any member functions
[task 2019-08-16T06:28:25.097Z] 06:28:25     INFO -    InvokeDragSession(nsINode* aDOMNode, nsIPrincipal* aPrincipal,
[task 2019-08-16T06:28:25.097Z] 06:28:25     INFO -    ^
[task 2019-08-16T06:28:25.098Z] 06:28:25    ERROR -  /builds/worker/workspace/build/src/xpcom/components/../../widget/gtk/nsDragService.h:67:3: error: 'nsDragService::InvokeDragSession' hides overloaded virtual function [-Werror,-Woverloaded-virtual]
[task 2019-08-16T06:28:25.098Z] 06:28:25     INFO -  /builds/worker/workspace/build/src/obj-firefox/dist/include/nsBaseDragService.h:58:3: note: hidden overloaded virtual function 'nsBaseDragService::InvokeDragSession' declared here: different number of parameters (6 vs 5)
[task 2019-08-16T06:28:25.098Z] 06:28:25     INFO -    NS_DECL_NSIDRAGSERVICE
[task 2019-08-16T06:28:25.098Z] 06:28:25     INFO -    ^
[task 2019-08-16T06:28:25.098Z] 06:28:25     INFO -  /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIDragService.h:114:33: note: expanded from macro 'NS_DECL_NSIDRAGSERVICE'
[task 2019-08-16T06:28:25.098Z] 06:28:25     INFO -    MOZ_CAN_RUN_SCRIPT NS_IMETHOD InvokeDragSession(nsINode *aDOMNode, nsIPrincipal *aPrincipal, nsIContentSecurityPolicy *aCsp, nsIArray *aTransferables, uint32_t aActionType, nsContentPolicyType aContentPolicyType) override; \
[task 2019-08-16T06:28:25.099Z] 06:28:25     INFO -                                  ^
[task 2019-08-16T06:28:25.099Z] 06:28:25     INFO -  2 errors generated.
[task 2019-08-16T06:28:25.099Z] 06:28:25     INFO -  /builds/worker/workspace/build/src/config/rules.mk:785: recipe for target 'StaticComponents.o' failed
[task 2019-08-16T06:28:25.099Z] 06:28:25    ERROR -  make[4]: *** [StaticComponents.o] Error 1
[task 2019-08-16T06:28:25.099Z] 06:28:25     INFO -  make[4]: Leaving directory '/builds/worker/workspace/build/src/obj-firefox/xpcom/components'
[task 2019-08-16T06:28:25.099Z] 06:28:25     INFO -  /builds/worker/workspace/build/src/config/recurse.mk:74: recipe for target 'xpcom/components/target' failed
[task 2019-08-16T06:28:25.100Z] 06:28:25    ERROR -  make[3]: *** [xpcom/components/target] Error 2
[task 2019-08-16T06:28:25.100Z] 06:28:25     INFO -  make[3]: *** Waiting for unfinished jobs....
[task 2019-08-16T06:28:25.545Z] 06:28:25     INFO -  make[4]: Entering directory '/builds/worker/workspace/build/src/obj-firefox/netwerk/cache2'
[task 2019-08-16T06:28:25.549Z] 06:28:25     INFO -  /builds/worker/fetches/sccache/sccache /builds/worker/fetches/clang/bin/clang++ -o Unified_cpp_netwerk_cache21.o -c  -I/builds/worker/workspace/build/src/obj-firefox/dist/stl_wrappers -I/builds/worker/workspace/build/src/obj-firefox/dist/system_wrappers -include /builds/worker/workspace/build/src/config/gcc_hidden.h -DDEBUG=1 -DSTATIC_EXPORTABLE_JS_API -DMOZ_HAS_MOZGLUE -DMOZILLA_INTERNAL_API -DIMPL_LIBXUL -I/builds/worker/workspace/build/src/netwerk/cache2 -I/builds/worker/workspace/build/src/obj-firefox/netwerk/cache2 -I/builds/worker/workspace/build/src/netwerk/base -I/builds/worker/workspace/build/src/netwerk/cache -I/builds/worker/workspace/build/src/obj-firefox/dist/include -I/builds/worker/workspace/build/src/obj-firefox/dist/include/nspr -I/builds/worker/workspace/build/src/obj-firefox/dist/include/nss -fPIC -DMOZILLA_CLIENT -include /builds/worker/workspace/build/src/obj-firefox/mozilla-config.h -Qunused-arguments -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -fstack-protector-strong -Qunused-arguments -Wall -Wbitfield-enum-conversion -Wempty-body -Wignored-qualifiers -Woverloaded-virtual -Wpointer-arith -Wshadow-field-in-constructor-modified -Wsign-compare -Wtype-limits -Wunreachable-code -Wunreachable-code-return -Wwrite-strings -Wno-invalid-offsetof -Wclass-varargs -Wfloat-overflow-conversion -Wfloat-zero-conversion -Wloop-analysis -Wc++1z-compat -Wc++2a-compat -Wcomma -Wimplicit-fallthrough -Werror=non-literal-null-conversion -Wstring-conversion -Wtautological-overlap-compare -Wtautological-unsigned-enum-zero-compare -Wtautological-unsigned-zero-compare -Wno-inline-new-delete -Wno-error=deprecated-declarations -Wno-error=array-bounds -Wno-error=backend-plugin -Wno-error=return-std-move -Wno-error=atomic-alignment -Wformat -Wformat-security -Wno-gnu-zero-variadic-macro-arguments -Wno-unknown-warning-option -Wno-return-type-c-linkage -D_GLIBCXX_USE_CXX11_ABI=0 -fno-sized-deallocation -fno-aligned-new -fcrash-diagnostics-dir=/builds/worker/artifacts -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fno-exceptions -fno-strict-aliasing -fno-rtti -ffunction-sections -fdata-sections -fno-exceptions -fno-math-errno -pthread -pipe -g -Xclang -load -Xclang /builds/worker/workspace/build/src/obj-firefox/build/clang-plugin/libclang-plugin.so -Xclang -add-plugin -Xclang moz-check -Os -fno-omit-frame-pointer -funwind-tables -Werror -Wno-error=shadow  -MD -MP -MF .deps/Unified_cpp_netwerk_cache21.o.pp   /builds/worker/workspace/build/src/obj-firefox/netwerk/cache2/Unified_cpp_netwerk_cache21.cpp
[task 2019-08-16T06:28:25.549Z] 06:28:25     INFO -  make[4]: Leaving directory '/builds/worker/workspace/build/src/obj-firefox/netwerk/cache2'
[task 2019-08-16T06:28:37.284Z] 06:28:37     INFO -  make[4]: Entering directory '/builds/worker/workspace/build/src/obj-firefox/intl/strres'
[task 2019-08-16T06:28:37.286Z] 06:28:37     INFO -  /builds/worker/fetches/sccache/sccache /builds/worker/fetches/clang/bin/clang++ -o Unified_cpp_intl_strres0.o -c  -I/builds/worker/workspace/build/src/obj-firefox/dist/stl_wrappers -I/builds/worker/workspace/build/src/obj-firefox/dist/system_wrappers -include /builds/worker/workspace/build/src/config/gcc_hidden.h -DDEBUG=1 -DOS_POSIX=1 -DOS_LINUX=1 -DSTATIC_EXPORTABLE_JS_API -DMOZ_HAS_MOZGLUE -DMOZILLA_INTERNAL_API -DIMPL_LIBXUL -I/builds/worker/workspace/build/src/intl/strres -I/builds/worker/workspace/build/src/obj-firefox/intl/strres -I/builds/worker/workspace/build/src/xpcom/ds -I/builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/_ipdlheaders -I/builds/worker/workspace/build/src/ipc/chromium/src -I/builds/worker/workspace/build/src/ipc/glue -I/builds/worker/workspace/build/src/obj-firefox/dist/include -I/builds/worker/workspace/build/src/obj-firefox/dist/include/nspr -I/builds/worker/workspace/build/src/obj-firefox/dist/include/nss -fPIC -DMOZILLA_CLIENT -include /builds/worker/workspace/build/src/obj-firefox/mozilla-config.h -Qunused-arguments -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -fstack-protector-strong -Qunused-arguments -Wall -Wbitfield-enum-conversion -Wempty-body -Wignored-qualifiers -Woverloaded-virtual -Wpointer-arith -Wshadow-field-in-constructor-modified -Wsign-compare -Wtype-limits -Wunreachable-code -Wunreachable-code-return -Wwrite-strings -Wno-invalid-offsetof -Wclass-varargs -Wfloat-overflow-conversion -Wfloat-zero-conversion -Wloop-analysis -Wc++1z-compat -Wc++2a-compat -Wcomma -Wimplicit-fallthrough -Werror=non-literal-null-conversion -Wstring-conversion -Wtautological-overlap-compare -Wtautological-unsigned-enum-zero-compare -Wtautological-unsigned-zero-compare -Wno-inline-new-delete -Wno-error=deprecated-declarations -Wno-error=array-bounds -Wno-error=backend-plugin -Wno-error=return-std-move -Wno-error=atomic-alignment -Wformat -Wformat-security -Wno-gnu-zero-variadic-macro-arguments -Wno-unknown-warning-option -Wno-return-type-c-linkage -D_GLIBCXX_USE_CXX11_ABI=0 -fno-sized-deallocation -fno-aligned-new -fcrash-diagnostics-dir=/builds/worker/artifacts -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fno-exceptions -fno-strict-aliasing -fno-rtti -ffunction-sections -fdata-sections -fno-exceptions -fno-math-errno -pthread -pipe -g -Xclang -load -Xclang /builds/worker/workspace/build/src/obj-firefox/build/clang-plugin/libclang-plugin.so -Xclang -add-plugin -Xclang moz-check -Os -fno-omit-frame-pointer -funwind-tables -Werror -Wno-error=shadow  -MD -MP -MF .deps/Unified_cpp_intl_strres0.o.pp   /builds/worker/workspace/build/src/obj-firefox/intl/strres/Unified_cpp_intl_strres0.cpp
[task 2019-08-16T06:28:37.286Z] 06:28:37     INFO -  make[4]: Leaving directory '/builds/worker/workspace/build/src/obj-firefox/intl/strres'
[task 2019-08-16T06:28:40.502Z] 06:28:40     INFO -  make[4]: Entering directory '/builds/worker/workspace/build/src/obj-firefox/netwerk/cookie'
Flags: needinfo?(streich.mobile)

Fixed the Bustage, should work now :)

Flags: needinfo?(streich.mobile)
Keywords: checkin-needed

Pushed by cbrindusan@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/544bb8b63a3e
Pass CSP on Link-drop r=ckerschb,Gijs,farre

Keywords: checkin-needed
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla70
QA Whiteboard: [good first verify]
Whiteboard: [domsecurity-active] → [domsecurity-active][adv-main70+]
You need to log in before you can comment on or make changes to this bug.