Closed Bug 1647519 Opened 4 years ago Closed 4 years ago

Reject javascript: requests targeting other content processes

Categories

(Core :: DOM: Content Processes, task, P3)

Product:
Core
Component:
DOM: Content Processes
Type:
task

Tracking

()

Status:
RESOLVED FIXED
Milestone:
87 Branch
Project Flags:
Fission Milestone M6c
Tracking Flags:
Tracking Status
firefox87 --- fixed

People

(Reporter: cpeterson, Assigned: kmag)

References

(Blocks 1 open bug)

Details

(Whiteboard: [ETA: waiting for Phabricator review])

Attachments

(1 file, 2 obsolete files)

Bug 1647519: Reject javascript: requests targeting other content processes. r=nika
48 bytes, text/x-phabricator-request
Details | Review

Ensure javascript: requests targeting other content processes are rejected and add a test to verify this.

Blocks: document-channel
Blocks: 1575120
No longer blocks: document-channel

M6c

Fission Milestone: ? → M6c

Nika and Peter said we should write a test that loading javascript URIs in an OOP iframe throws a nice exception in the console to ensure we don't regress it with Fission. Currently, without Fission, it fails silently.

A few notes from #Fission (thanks, kmag and nika!) :

Cross-process case:

  1. A ContentChild issues javascript: load by calling BrowsingContext::LoadURI – for our example, a (forbidden) cross-process load;
  2. ... or nsDocShell::LoadURI (or InternalLoad) sends LoadURI (or InternalLoad) to the ContentParent;
  3. The BrowsingContext sends LoadURI (or InternalLoad) to the ContentParent (we need to block this with a nice error message).
  4. The ContentParent receives the LoadURI and sends a LoadURI to another child (need to block this with IPC_FAIL in ContentParent::RecvLoadURI - RecvInternalLoad, in case the ContentChild has been compromised).
  5. The ContentChild receives the LoadURI (nothing to do, with the patch, this has already been blocked in step 3. or 4.).

In-process case:

Some same-process loads may hit nsDocShell::LoadURI directly without going through BrowsingContext, and they should still reject with a sane error if the triggering principal doesn't subsume the principal of the target document.

Also:
@kmag "Incidentally, you probably want to report the error with rv.ThrowSecurityError(...) something like this: https://searchfox.org/mozilla-central/rev/ce21a13035623c1d349980057d09000e70669802/js/xpconnect/wrappers/AccessCheck.cpp#153
But in the case of window.open and window.location = ..., I don't think we're allowed to throw for things like this, so I think we'll just need to create the exception and report it."

Assignee: nobody → dteller

Left a few questions in https://phabricator.services.mozilla.com/D89361.

Flags: needinfo?(kmaglione+bmo)
Attachment #9173597 - Attachment is obsolete: true
Flags: needinfo?(kmaglione+bmo)
Flags: needinfo?(kmaglione+bmo)
Severity: -- → N/A
Priority: -- → P3

I won't have time to finish this.

Assignee: D.O.Teller+bugspam → nobody
Assignee: nobody → kmaglione+bmo
Status: NEW → ASSIGNED
Blocks: 1676908

kmag just needs to rewrite the tests in Yoric's patch.

Keeping in Fission M6c.

Loads targeting cross-process BrowsingContexts are by definition cross-origin,
which should preclude any javascript: loads. While those loads are currently
prevented by principal checks in the final target process, sending IPC
messages for the attempts is unnecessary, and potentially opens a door to
privilege escalation exploits by a compromised content process.

This patch prevents any cross-process load requests from being sent by content
processes, and adds checks in the parent process to kill any (potentially
compromised) content process which attempts to send them.

Whiteboard: [ETA: waiting for Phabricator review]
Attachment #9174192 - Attachment is obsolete: true
Pushed by maglione.k@gmail.com: https://hg.mozilla.org/integration/autoland/rev/0395717ea76d Reject javascript: requests targeting other content processes. r=nika
Flags: needinfo?(kmaglione+bmo)
Pushed by maglione.k@gmail.com: https://hg.mozilla.org/integration/autoland/rev/c0ecccf36d56 Reject javascript: requests targeting other content processes. r=nika
Pushed by maglione.k@gmail.com: https://hg.mozilla.org/integration/autoland/rev/e4cefba9f87e Reject javascript: requests targeting other content processes. r=nika
Flags: needinfo?(kmaglione+bmo)
Pushed by maglione.k@gmail.com: https://hg.mozilla.org/integration/autoland/rev/fcd21b8e5e55 Reject javascript: requests targeting other content processes. r=nika
Flags: needinfo?(kmaglione+bmo)

https://hg.mozilla.org/mozilla-central/rev/fcd21b8e5e55

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox87: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 87 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: