Refactor out a data: ChromeUtils.import from ExtensionParent.jsm
Categories
(WebExtensions :: General, task, P2)
Tracking
(firefox-esr60 wontfix, firefox-esr68 wontfix, firefox69 wontfix, firefox70 wontfix, firefox71 fixed)
People
(Reporter: tjr, Assigned: tjr)
Details
(Keywords: sec-want, Whiteboard: [post-critsmash-triage][adv-main71-])
Attachments
(1 file)
https://searchfox.org/mozilla-central/rev/325c1a707819602feff736f129cb36055ba6d94f/toolkit/components/extensions/ExtensionParent.jsm#710 uses a data: uri to perform a ChromeUtils.import()
We need to refactor this to avoid using a data: uri to accomplish this task so we can prevent loading JS from data: uris entirely.
Comment 1•5 years ago
|
||
Should the component on this bug be in web extensions? You're not proposing DOM code changes here.
Assignee | ||
Updated•5 years ago
|
Comment 2•5 years ago
|
||
I can't see why this should need to be a security bug
Assignee | ||
Comment 3•5 years ago
|
||
(In reply to Kris Maglione [:kmag] from comment #2)
I can't see why this should need to be a security bug
Me neither really; I was erring on the side of caution regarding information disclosure with the parent bug.
Updated•5 years ago
|
Assignee | ||
Comment 4•5 years ago
|
||
Comment 5•5 years ago
|
||
https://hg.mozilla.org/integration/autoland/rev/1a2ba5eead516cdf23d0cff5b068e52e80084c6a
https://hg.mozilla.org/mozilla-central/rev/1a2ba5eead51
Comment 6•5 years ago
|
||
Hey Tom, can you please give more details about how we want to accomplish this (or CC me to the parent bug)? Are we leaving the option to execute js from data: URIs for our tests (based on Cu.isInAutomation
or similar)?
If not, then this missed a few places where we do just that:
https://searchfox.org/mozilla-central/search?q=loadframescript&path=components%2Fextensions
And specifically this place which doesn't directly use a data:
string, but constructs one in a variable:
https://searchfox.org/mozilla-central/rev/dafa68a8/toolkit/components/extensions/ExtensionXPCShellUtils.jsm#258
Comment 7•5 years ago
|
||
(In reply to Tomislav Jovanovic :zombie from comment #6)
Hey Tom, can you please give more details about how we want to accomplish this (or CC me to the parent bug)?
I've CC'd you.
Are we leaving the option to execute js from data: URIs for our tests (based on
Cu.isInAutomation
or similar)?
I expect we will need to do so for the content process (but not for the parent), yes.
If not, then this missed a few places where we do just that:
https://searchfox.org/mozilla-central/search?q=loadframescript&path=components%2FextensionsAnd specifically this place which doesn't directly use a
data:
string, but constructs one in a variable:
https://searchfox.org/mozilla-central/rev/dafa68a8/toolkit/components/extensions/ExtensionXPCShellUtils.jsm#258
ContentTask itself does this, too.
Updated•5 years ago
|
Updated•5 years ago
|
Assignee | ||
Updated•5 years ago
|
Updated•3 years ago
|
Description
•