Closed Bug 1648445 Opened 3 years ago Closed 3 years ago

Backout - bypassCORSChecks


(Core :: Networking: HTTP, defect)




Tracking Status
firefox-esr78 - wontfix


(Reporter: sstreich, Assigned: sstreich)



(Keywords: csectype-sop, sec-high)


(1 obsolete file)

As Rob described in Bug 1645204 , our handling of bypassCORSChecks leaves a huge vulnerably open for our users. Regressed by bug 1450965. Fortunately this was in 69, so ESR68 is not affected. As the next ESR release is so close, I would like to backout the changes made in bug 1450965.
We will still work on the fixing the original Bug in 1645204 asap.

i would like to remove the risk of shipping the vuln, since the original bug we tried to fix had only a small impact on users. Since the regressing patch did not land on ESR, backouting it would pose no negative effect for our esr users.

Assignee: nobody → sstreich

[Tracking Requested - why for this release]: See Comment 0 🙈

Group: core-security → dom-core-security

Since ESR78 has already shipped with the feature from bug 1450965, we shouldn't just back out the patch.

For that reason, I suggest to move the patch back to bug 1645204. That bug already has a real fix, so the patch here is just removal of unused code. There is not really a need for two separate bugs.

@sstreich, could you move this patch back to bug 1450965, and mark this bug as a duplicate of it?

Flags: needinfo?(sstreich)

Comment on attachment 9159253 [details]
Bug 1648445 - Remove bypassCORSChecks flags r=robwu

Revision D80956 was moved to bug 1645204. Setting attachment 9159253 [details] to obsolete.

Attachment #9159253 - Attachment is obsolete: true

sure, moved it back :)

Closed: 3 years ago
Flags: needinfo?(sstreich)
Resolution: --- → DUPLICATE
Group: dom-core-security
You need to log in before you can comment on or make changes to this bug.