Closed Bug 1577285 Opened 5 years ago Closed 5 years ago

Refactor out a data: ChromeUtils.import from ExtensionParent.jsm

Categories

(WebExtensions :: General, task, P2)

Product:
WebExtensions
Component:
General
Type:
task

Tracking

(firefox-esr60 wontfix, firefox-esr68 wontfix, firefox69 wontfix, firefox70 wontfix, firefox71 fixed)

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox-esr60 --- wontfix
firefox-esr68 --- wontfix
firefox69 --- wontfix
firefox70 --- wontfix
firefox71 --- fixed

People

(Reporter: tjr, Assigned: tjr)

Details

(Keywords: sec-want, Whiteboard: [post-critsmash-triage][adv-main71-])

Attachments

(1 file)

Bug 1577285 - Refactor out a data: URI in loadFrameScript r?kmag
47 bytes, text/x-phabricator-request
Details | Review

https://searchfox.org/mozilla-central/rev/325c1a707819602feff736f129cb36055ba6d94f/toolkit/components/extensions/ExtensionParent.jsm#710 uses a data: uri to perform a ChromeUtils.import()

We need to refactor this to avoid using a data: uri to accomplish this task so we can prevent loading JS from data: uris entirely.

Type: enhancement → task
Keywords: sec-want

Should the component on this bug be in web extensions? You're not proposing DOM code changes here.

Group: core-security → dom-core-security
Flags: needinfo?(tom)
Group: dom-core-security → firefox-core-security
Component: DOM: Security → General
Flags: needinfo?(tom)
Product: Core → WebExtensions

I can't see why this should need to be a security bug

(In reply to Kris Maglione [:kmag] from comment #2)

I can't see why this should need to be a security bug

Me neither really; I was erring on the side of caution regarding information disclosure with the parent bug.

Priority: -- → P2

Hey Tom, can you please give more details about how we want to accomplish this (or CC me to the parent bug)? Are we leaving the option to execute js from data: URIs for our tests (based on Cu.isInAutomation or similar)?

If not, then this missed a few places where we do just that:
https://searchfox.org/mozilla-central/search?q=loadframescript&path=components%2Fextensions

And specifically this place which doesn't directly use a data: string, but constructs one in a variable:
https://searchfox.org/mozilla-central/rev/dafa68a8/toolkit/components/extensions/ExtensionXPCShellUtils.jsm#258

Flags: needinfo?(tom)

(In reply to Tomislav Jovanovic :zombie from comment #6)

Hey Tom, can you please give more details about how we want to accomplish this (or CC me to the parent bug)?

I've CC'd you.

Are we leaving the option to execute js from data: URIs for our tests (based on Cu.isInAutomation or similar)?

I expect we will need to do so for the content process (but not for the parent), yes.

If not, then this missed a few places where we do just that:
https://searchfox.org/mozilla-central/search?q=loadframescript&path=components%2Fextensions

And specifically this place which doesn't directly use a data: string, but constructs one in a variable:
https://searchfox.org/mozilla-central/rev/dafa68a8/toolkit/components/extensions/ExtensionXPCShellUtils.jsm#258

ContentTask itself does this, too.

Flags: needinfo?(tom)
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main71-]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: