Closed Bug 1614008 Opened 5 years ago Closed 5 years ago

Disable eval() usage if the user has a PAC Script set (or we are executing a pac script)

Categories

(Core :: DOM: Security, defect, P2)

Product:
Core
Component:
DOM: Security
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla75
Tracking Flags:
Tracking Status
firefox74 + fixed
firefox75 --- fixed

People

(Reporter: tjr, Assigned: tjr)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-active])

Attachments

(1 file)

Bug 1614008 - Disable eval checks for PAC Scripts r?jandem
47 bytes, text/x-phabricator-request
pascalc
: approval-mozilla-beta+
Details | Review

In Berlin, late at night, :nika suggested that the remaining traces of eval() occurring might be coming from PAC Scripts. Let's disable the eval assertions then and see what happens!

network.proxy.autoconfig_url

Status: NEW → ASSIGNED
Priority: -- → P2
Whiteboard: [domsecurity-active]
Pushed by tritter@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/d593e775210f Disable eval checks for PAC Scripts r=jandem

https://hg.mozilla.org/mozilla-central/rev/d593e775210f

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox75: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla75

[Tracking Requested - why for this release]:

In Bug 1611238 in 74 we are going to enforce eval restrictions. In this bug we believe we have identified what may be some last lingering sources of the telemetry we were seeing. Here we'll disable the eval restrictions for PAC Scripts. Not taking this in 74 would mean that 74 in release, if a PAC script used eval - it would not work.

We should either hold back Bug 1611238 or uplift this bug to 74. I'd prefer t uplift this bug, because it's a safe uplift (it's disabling a security feature) and I'd prefer to avoid holding back the security feature for another release.

tracking-firefox74: --- → ?

Comment on attachment 9127955 [details]
Bug 1614008 - Disable eval checks for PAC Scripts r?jandem

Beta/Release Uplift Approval Request

  • User impact if declined: See Comment 5
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): This is a small patch that disables a security check.
  • String changes made/needed:
Attachment #9127955 - Flags: approval-mozilla-beta?

Comment on attachment 9127955 [details]
Bug 1614008 - Disable eval checks for PAC Scripts r?jandem

The justification seems reasonable to me, uplift approved for 74.0b8, thanks.

Attachment #9127955 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: