Closed Bug 1596421 Opened 3 months ago Closed 3 months ago

Disable eval restrictions if the web extension process is disabled

Categories

(Core :: DOM: Security, enhancement, P2)

enhancement

Tracking

()

RESOLVED FIXED
mozilla72
Tracking Status
firefox70 --- wontfix
firefox71 + fixed
firefox72 + fixed

People

(Reporter: tjr, Assigned: tjr)

References

Details

(Whiteboard: [domsecurity-active])

Attachments

(1 file)

While analyzing the Telemetry collected as part of Bug 1592321, we realized that a likely source of this data - and a definite problem no matter what - was if the web extension process is disabled, extensions will run in the parent process and if they use eval() - that will trigger our checks.

So if the user has disabled the web extension process, we will need to disable the eval restrictions. At first I wondered if we could disable only the parent process check, and leave the system context one intact, but Mozilla extensions may still use the system context, so it's simplest and safest to just disable everything for the relatively few users who have flipped this pref.

[Tracking Requested - why for this release]: I'd like to uplift this to beta because it will allow us to collect Telemetry on a larger audience and ultimately deploy eval restrictions faster.

Status: NEW → ASSIGNED
Priority: -- → P2
Whiteboard: [domsecurity-active]
Pushed by tritter@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/5e324cc146e3
Disable eval restrictions if the web extension process is disabled r=ckerschb
Status: ASSIGNED → RESOLVED
Closed: 3 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla72

Comment on attachment 9108718 [details]
Bug 1596421 - Disable eval restrictions if the web extension process is disabled r?ckerschb

Beta/Release Uplift Approval Request

  • User impact if declined: This patch adds an exception case to data collection about a security feature we're trying to deploy. Delaying it will probably cause us to wait at least another release before deploying it. We landed Bug 1592321 which is complementary to this patch.
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: Bug 1592321
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): It's a simple patch, only adding a pref check that then disables a security check.
  • String changes made/needed:
Attachment #9108718 - Flags: approval-mozilla-beta?

Comment on attachment 9108718 [details]
Bug 1596421 - Disable eval restrictions if the web extension process is disabled r?ckerschb

Uplift approved for 71 beta 12, thanks.

Attachment #9108718 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

Conflict while uplifting this to beta:

warning: conflicts while merging dom/security/nsContentSecurityUtils.cpp! (edit, then use 'hg resolve --mark')

Flags: needinfo?(tom)

Thank you for merging!

Flags: needinfo?(tom)
You need to log in before you can comment on or make changes to this bug.