Closed Bug 1593832 Opened 5 years ago Closed 5 years ago

Enforce XFO and frame-ancestors in parent process if fission is enabled and in content if running in regular mode until we can determine whether a load results in a download in the parent process

Categories

(Core :: DOM: Security, defect, P1)

Product:
Core
Component:
DOM: Security
Platform:
Unspecified
Windows
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla72
Project Flags:
Fission Milestone M5
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox70 --- unaffected
firefox71 --- unaffected
firefox72 + fixed

People

(Reporter: handyman, Assigned: ckerschb)

References

(Regression)

Details

(Keywords: regression, Whiteboard: [domsecurity-active])

Attachments

(1 file)

Bug 1593832: Enforce XFO and frame-ancestors in parent process if fission is enabled and in content if running in regular mode until we can determine whether a load results in a download in the parent process. r=jkt,bz
47 bytes, text/x-phabricator-request
Details | Review

I am experiencing a lot of BSODs so I went to Dell's site to update drivers. The direct link includes my service code but the product page [1] leads directly to it when the code is entered. That takes me to a page where it asks to run their ServiceAssist app, which reports that I need to update some drivers. The "Download" button then says its starting the download but the "Download in progress" line spins at 0% forever. In contrast, both Chrome and Firefox 69 (the latest release I had installed) download the drivers as expected at this stage.

I had tried this with a new profile on nightly and it still failed. I also turned off tracking protection for the site and it still failed in the same way. I don't see anything useful in the consoles.

I'm not sure I'll be able to run this test again since I am installing the updates now but I can try if needed (I've been BSODing a lot.)

[1] https://www.dell.com/support/home/us/en/04/product-support/product/xps-15-9570-laptop/overview

I can reproduce this in Nightly. Web console shows this error message: "Load denied by X-Frame-Options: “SAMEORIGIN” from “https://dl.dell.com/FOLDER05869942M/2/MSPIP_V1.0.0.2_ZPE.exe…3d1d9c-c9eb-437d-7bcd-fb1dfdffb5e9&fn=MSPIP_V1.0.0.2_ZPE.exe”, site does not permit cross-origin framing from “https://www.dell.com/support/home/ca/en/cabsdt1/product-support/product/xps-15-9570-laptop/overview”."

Download works on Fx70.0.1.

Component: General → DOM: Security

This is a regression from Bug 1584998, I'll take a look ASAP.

Assignee: nobody → ckerschb
Blocks: 1584998
Status: NEW → ASSIGNED
Priority: -- → P1
Whiteboard: [domsecurity-active]
Regressed by: 1584998
Keywords: regression
Depends on: 1574372
Blocks: 1599131
Summary: Dell support site will not download drivers, etc → Enforce XFO and frame-ancestors in parent process if fission is enabled and in content if running in regular mode until we can determine whether a load results in a download in the parent process
Attachment #9110237 - Attachment description: Bug 1593832: Make loads with content type 'application/octet-stream' not subject to XFO. r=dragana → Bug 1593832: Enforce XFO and frame-ancestors in parent process if fission is enabled and in content if running in regular mode until we can determine whether a load results in a download in the parent process. r=jkt,bz

Tracking for Fission dogfooding (M5)

Fission Milestone: --- → M5
See Also: → 1599256
See Also: → 1598362
Pushed by aciure@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/432a6d44236d
Enforce XFO and frame-ancestors in parent process if fission is enabled and in content if running in regular mode until we can determine whether a load results in a download in the parent process. r=bzbarsky,jkt
See Also: → 1597606

https://hg.mozilla.org/mozilla-central/rev/432a6d44236d

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox72: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla72
Regressions: 1600174
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: