RefPtr<FeaturePolicy> is stored in BrowsingContext
Categories
(Core :: DOM: Security, defect, P1)
Tracking
()
Tracking | Status | |
---|---|---|
firefox86 | --- | fixed |
People
(Reporter: farre, Assigned: farre)
References
Details
(Whiteboard: [domsecurity-backlog1])
Attachments
(1 file)
Mutable datatypes cannot be stored in BrowsingContext since that won't be synced.
Also, FeaturePolicy in BrowsingContext syncs principals, which is not correct.
Assignee | ||
Updated•5 years ago
|
Assignee | ||
Comment 1•5 years ago
|
||
It's not possible to stora a value with mutable data in a
BrowsingContext synced field (in this case a RefPtr<T>), since this
will bypass syncing when written to. Instead store FeaturePolicyInfo
as a value.
We also wish to avoid storing nsIPrincipals in the ContentChild, since
we might be leaking information about a document from another domain
and process in the fission case. Instead initialize FeaturePolicy with
NullPrincipals when creating them from a BrowsingContext representing
an oop document.
Updated•5 years ago
|
Updated•5 years ago
|
Assignee | ||
Updated•5 years ago
|
Updated•5 years ago
|
Comment 2•4 years ago
|
||
Andreas said this needs to be owned by someone who knows Feature Policy better and Andreas will be available for Fission questions and help.
Comment 3•4 years ago
|
||
Putting in the backlog for now till baku answers.
Updated•4 years ago
|
Comment 4•4 years ago
|
||
Sorry for the delay. I just accepted the Farre's patch.
Comment 5•4 years ago
|
||
There's a r+ patch which didn't land and no activity in this bug for 2 weeks.
:farre, could you have a look please?
For more information, please visit auto_nag documentation.
Assignee | ||
Comment 6•4 years ago
|
||
I've rebased it, but I also changed the call to FeaturePolicy::SetDeclaredPolicy in FeaturePolicyUtils::FromBrowsingContext to pass a nullptr for src. I think that's more correct. Does that sound reasonable Baku?
Updated•4 years ago
|
Assignee | ||
Updated•4 years ago
|
Comment 7•4 years ago
|
||
Setting the blocking review
flag for baku in phab and following up on slack.
Comment 8•4 years ago
|
||
This doesn't need to block M6b but needs to be done very soon in M6c.
Updated•4 years ago
|
Updated•4 years ago
|
Updated•4 years ago
|
Comment 10•4 years ago
|
||
bugherder |
Description
•