Closed Bug 1638826 Opened 4 years ago Closed 4 years ago

A page's CSP base-uri affects pdf.js

Categories

(Core :: DOM: Security, defect, P1)

Product:
Core
Component:
DOM: Security
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla78
Tracking Flags:
Tracking Status
firefox78 --- fixed

People

(Reporter: ckerschb, Assigned: ckerschb)

References

Details

(Whiteboard: [domsecurity-active])

Attachments

(1 file)

Bug 1638826: Exempt pdfjs from being subject to CSP permits function. r=baku
47 bytes, text/x-phabricator-request
Details | Review

Within Bug 1582115 we fixed the problem that a page's CSP script-src directive affects pdf.js. It seems a page's base-uri might also affect a pdf.js but uses a different code path within Firefox. While Bug 1582115 was uplifted to Beta, the change here requires some refactoring which is probably to worry-some to uplift that close to the end of the cycle. I rather fix the base-uri problem within this bug as a follow up to Bug 1582115

Pushed by mozilla@christophkerschbaumer.com: https://hg.mozilla.org/integration/autoland/rev/2b4796470c0b Make CSP permits function (e.g. restricting base-uri) consult subjectCSP before enforcing CSP. r=baku

huh, rock solid we have that test - I'll take a look!

Flags: needinfo?(ckerschb)
Attachment #9149839 - Attachment description: Bug 1638826: Make CSP permits function (e.g. restricting base-uri) consult subjectCSP before enforcing CSP. r=baku → Bug 1638826: Exempt pdfjs from being subject to CSP permits function. r=baku
Pushed by mozilla@christophkerschbaumer.com: https://hg.mozilla.org/integration/autoland/rev/85e58f1534d4 Exempt pdfjs from being subject to CSP permits function. r=baku

https://hg.mozilla.org/mozilla-central/rev/85e58f1534d4

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox78: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla78
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: