Muted errors still have an URL/filename
Categories
(Core :: JavaScript Engine, defect, P2)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox78 | --- | fix-optional |
People
(Reporter: evilpie, Unassigned)
References
(Blocks 1 open bug)
Details
Attachments
(1 file, 1 obsolete file)
|
194 bytes,
text/html
|
Details |
I don't think the filename/URL is actually private, because this is set by the "loader". Maybe it contains the URL after redirect? So this might not be a real security issue.
The spec says https://html.spec.whatwg.org/multipage/webappapis.html#report-the-error urlString should be an empty string.
We however always assign the filename: https://searchfox.org/mozilla-central/rev/202a285024f174c2d2bf2152d9cba90a03723eab/dom/base/nsJSEnvironment.cpp#510
|
Reporter | |
Comment 1•4 years ago
|
||
I have a fix and test for this.
|
||
Comment 2•4 years ago
|
||
I think it's a security problem if it's the URL after redirects (that's the one the embedder does not know).
|
|
Reporter | |
Comment 3•4 years ago
|
||
At least this test-case shows that we seem to use the pre-redirect URL.
Somewhat related probably at http://wpt.live/html/semantics/scripting-1/the-script-element/muted-errors.sub.html, we fail the test:
"Syntax error for same-origin script redirected to a cross-origin URL and redirected back to same-origin should be muted"
|
|
Reporter | |
Comment 4•4 years ago
|
||
|
|
Reporter | |
Comment 5•4 years ago
|
||
I can't test this on try, so it's quite likely that there are some other test failures.
|
|
Reporter | |
Updated•4 years ago
|
|
||
Updated•4 years ago
|
|
||
Updated•4 years ago
|
|
|
Reporter | |
Comment 6•4 years ago
|
||
Can I push this to try and land on autoland afterwards, or do I need to wait?
|
||
Comment 7•4 years ago
|
||
It depends on what the security rating is. I'm not sure what it should be.
|
||
Comment 8•4 years ago
|
||
If it's the pre-redirect URL then it's not a security bug and you can just land. I don't get either URL with your testcase though. Am I doing it wrong? Have too many paranoid prefs turned on?
If it's the post-redirect URL then it's a sec-high same-origin policy violation. You could push the patch to try, but take the testcase out first (which might make pushing to try pointless?).
|
|
Reporter | |
Comment 9•4 years ago
•
|
||
(In reply to Daniel Veditz [:dveditz] from comment #8)
If it's the pre-redirect URL then it's not a security bug and you can just land. I don't get either URL with your testcase though. Am I doing it wrong? Have too many paranoid prefs turned on?
The test-case doesn't work when directly running on bugzilla.mozilla.org, because the CSP blocks the JS. I am going to try and figure out where the filename comes from. As I said for me with that test it's the pre-redirect bit.ly URL instead of example.org
If it's the post-redirect URL then it's a sec-high same-origin policy violation. You could push the patch to try, but take the testcase out first (which might make pushing to try pointless?).
That would work for me, I just want to find other potential test failures (or new passes more likely) caused by this change.
|
|
||
Updated•4 years ago
|
|
|
Reporter | |
Comment 10•4 years ago
|
||
|
|
Reporter | |
Comment 11•4 years ago
|
||
I suspect this is not actually a security issue:
- We use the initial URL and not the final URL: https://searchfox.org/mozilla-central/source/dom/script/ScriptLoader.cpp#2435-2436
- Boris purposefully chose this behavior it seems: https://searchfox.org/mozilla-central/source/dom/tests/mochitest/bugs/test_bug873229.html#46-48
We should still fix it to match the spec and other browsers.
|
|
||
Comment 12•4 years ago
|
||
I wonder if it's better to not make this change until we sort out https://github.com/whatwg/html/issues/958#issuecomment-585900125 onward in combination with https://github.com/whatwg/html/issues/958#issuecomment-226309871. In particular as we're revisiting what needs to be muted we might well decide to not mute the URL as it's harmless and give at least a hint as to where people need to look for errors.
|
|
Reporter | |
Comment 13•4 years ago
|
||
Sounds good to me. We should maybe rise a spec issue about not censoring the filename.
|
|
||
Comment 14•4 years ago
•
|
||
So looking at https://html.spec.whatwg.org/#runtime-script-errors <del title=oops>I don't think</del> filename is censored. Unfortunately the way filename is defined is too vague and would allow for an interpretation that it's the one after redirects.
|
|
Reporter | |
Comment 15•4 years ago
|
||
So looking at https://html.spec.whatwg.org/#runtime-script-errors I don't think filename is censored.
I think it's being censored:
Step 6. If script's muted errors is true, ... set ... urlString to the empty string ...
Step 7. ... the filename attribute initialized to urlString ...
Unfortunately the way filename is defined is too vague and would allow for an interpretation that it's the one after redirects.
Definitely. It almost sounds like it's actually the final URL: "resource from which script was obtained"
|
|
Reporter | |
Comment 16•4 years ago
|
||
I think we should open this up. I want to comment with some more details in html#958, which would basically reveal everything here.
|
|
||
Updated•4 years ago
|
|
|
Reporter | |
Comment 17•4 years ago
|
||
Added a comment to the github issue. I guess we just have to wait for other vendors now.
|
||
Comment 18•4 years ago
|
||
There's a r+ patch which didn't land and no activity in this bug for 2 weeks.
:evilpie, could you have a look please?
For more information, please visit auto_nag documentation.
|
|
Reporter | |
Updated•4 years ago
|
|
|
||
Updated•4 years ago
|
|
|
Reporter | |
Comment 19•4 years ago
|
||
Unassinging myself. There doesn't seem to be any movement on this.
|
||
Updated•4 years ago
|
Description
•