Open Bug 1628060 Opened 5 years ago Updated 2 years ago

Consider not allowing any channels where the triggeringPrincipal is the SystemPrincipal

Tracking

()

Status:

NEW

People

(Reporter: ckerschb, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-backlog1])

Christoph Kerschbaumer [:ckerschb]

Reporter

Description

•

5 years ago

Currently, it's entirely possible that we have code like

NS_NewChannel(uri, SystemPrincipal, ...);
which allows to create a channel with a systemPrincipal as the triggeringPrincipal.

We should add some assertions and make sure we don't easily allow that.

Christoph Kerschbaumer [:ckerschb]

Reporter

Updated

•

5 years ago

Whiteboard: [domsecurity-backlog1]

BMO Automation

Updated

•

2 years ago

Severity: normal → S3

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Consider not allowing any channels where the triggeringPrincipal is the SystemPrincipal

Categories

(Core :: DOM: Security, task, P3)

Tracking

()

People

(Reporter: ckerschb, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-backlog1])

Crash Data

Security

(public)

User Story

Description

Updated

Updated