Closed Bug 1614216 Opened 6 years ago Closed 5 years ago

AF_UNIX support

Categories

(Core :: Networking, enhancement)

Product:
Core
Component:
Networking
Version:
74 Branch
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: demiobenour, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0

Steps to reproduce:

Try to use Firefox as the UI for a native application

Actual results:

Not able to connect over AF_UNIX, which is the only type of socket that is protected by OS filesystem permissions

Expected results:

Firefox should be able to connect to URLs such as unix+http:///run/user/1000/notebook.sock. Since the use of such URLs is to allow native apps to securely use the browser as a UI, vulnerability that allow tampering with pages using them should be equivalent to arbitrary code execution. Jupyter notebooks are an excellent use-case for this.

Specifically, firefox /path/to/unix/socket should connect to said socket over HTTP.

Also see bug 1489860.

Im setting the component for this one and maybe one of our developers can take a look and know more about this issue

regards
Pablo

Status: UNCONFIRMED → NEW
Component: Untriaged → IPC
Ever confirmed: true
Product: Firefox → Core
Component: IPC → Networking

I think there are ways to use a local TCP socket with https that would have the same security characteristics. I don't think there's enough unique value here to justify this approach.

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.