Open Bug 1565279 Opened 5 years ago Updated 3 months ago

Stop relying on parent process data: URLs in the devtools toolbox framework tests

Categories

(DevTools :: Framework, task, P3)

Product:
DevTools
Component:
Framework
Type:
task

Tracking

(Not tracked)

People

(Reporter: Gijs, Unassigned)

References

(Blocks 1 open bug)

Details

After bug 1560178, these tests will have a temporary fix, but ideally these tests should use chrome: resources to avoid loading data: URIs as documents in the parent.

Not sure how to prioritize this. So moving to the backlog for now. But feel free to provide a rationale for why we need to do this sooner rather than later.

Priority: -- → P3

Gijs may correct me when I get back; but I think there are two reasons to consider this:

  1. Setting the pref in tests means you are not testing in an environment that mimics release. If <something> starts loading a data: uri (or other untrusted URI) in the parent; and that <something> is covered by a test that disables the pref: the test will pass but the feature will fail in regular usage and that would probably be confusing.

  2. General cleanup. security.allow_unsafe_parent_loads is a mechanism to harden the parent process and while tests don't increase the attack surface of Release builds, it is one of the components that prevent us from removing the pref (possibly) and not allowing the possibility of disabling the security mechanism at all.

I'm not advocating for a particular priority, just wanted to give some more details to help you prioritize.

Tom's right, and I'm wondering if https://hg.mozilla.org/integration/autoland/rev/6071c24be566a2b3f2f98152456a540e9e893377 accidentally hid a test failure that would have flagged up bug 1571342... (I somewhat doubt it as it'd surprise me if those were in the relevant directory, but...).

Thanks for the information Tom and Gijs. I was missing a bit of context, and that autoland link explained a lot.
So data-uris aren't allowed anymore in frames loaded inside the toolbox or in chrome-privileged pages. Therefore the following test has to have the pref set before running: https://searchfox.org/mozilla-central/source/devtools/client/shared/test/browser_outputparser.js because it creates a toolbox host to test something.
So we need to start creating chrome resource uris for these tests and remove the prefs.

Severity: normal → S3
Blocks: 1876983
You need to log in before you can comment on or make changes to this bug.