Closed
Bug 1619872
Opened 4 years ago
Closed 4 years ago
Have a test to ensure EventSource works fine with invalid url in workers
Categories
(Core :: DOM: Workers, task, P2)
Core
DOM: Workers
Tracking
()
RESOLVED
FIXED
mozilla76
People
(Reporter: tt, Assigned: tt)
References
Details
(Keywords: sec-other, Whiteboard: [post-critsmash-triage][adv-main76-][adv-ESR68.8-])
Attachments
(1 file, 1 obsolete file)
|
47 bytes,
text/x-phabricator-request
|
dveditz
:
sec-approval+
|
Details | Review |
No description provided.
|
Assignee | |
Comment 1•4 years ago
|
||
|
||
Updated•4 years ago
|
Attachment #9130728 -
Attachment is obsolete: true
|
|
Assignee | |
Comment 2•4 years ago
|
||
|
||
Updated•4 years ago
|
Group: dom-core-security
|
|
Assignee | |
Comment 3•4 years ago
|
||
Comment on attachment 9130729 [details]
Bug 1619872 - Have a test to ensure EventSource works fine with invalid url in workers after shuting down;
Security Approval Request
- How easily could an exploit be constructed based on the patch?: It's a test to reproduce the crash (was fixed in 1614339). So, it should be okay to land this test for ensuring someone won't break it in the future
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Yes
- Which older supported branches are affected by this flaw?: 68, but the fix has already landed and been verified
- If not all supported branches, which bug introduced the flaw?: None
- Do you have backports for the affected branches?: No
- If not, how different, hard to create, and risky will they be?: The fix has already been laned to 68, 74, and 75. Also, the purpose of this test is to ensure someone won't break it in the future. So, landing this on 76+ should be okay.
- How likely is this patch to cause regressions; how much testing does it need?: It should be unlikely since it's a new test.
Attachment #9130729 -
Flags: sec-approval?
|
||
Comment 4•4 years ago
|
||
I'm leaving this in the approval queue until 74 is unthrottled for users and has been out for a little bit.
|
||
Comment 5•4 years ago
|
||
Comment on attachment 9130729 [details]
Bug 1619872 - Have a test to ensure EventSource works fine with invalid url in workers after shuting down;
sec-approval+ a=dveditz
Thanks for waiting to land this until after we shipped the fix.
Attachment #9130729 -
Flags: sec-approval? → sec-approval+
|
|
||
Comment 6•4 years ago
|
||
https://hg.mozilla.org/integration/autoland/rev/dc08b292e030ba824eb41e3d2ee983867016e7ef
https://hg.mozilla.org/mozilla-central/rev/dc08b292e030
Group: dom-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox76:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla76
|
||
Updated•4 years ago
|
status-firefox74:
--- → wontfix
status-firefox75:
--- → wontfix
status-firefox-esr68:
--- → wontfix
Flags: in-testsuite+
|
||
Updated•4 years ago
|
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
|
||
Updated•4 years ago
|
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main76-][adv-ESR68.8-]
|
|
||
Updated•3 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•