Closed Bug 1648445 Opened 5 years ago Closed 5 years ago

Backout - bypassCORSChecks

Tracking

()

Status:

RESOLVED DUPLICATE of bug 1645204

Tracking Flags:

Tracking

Status

firefox-esr78

wontfix

People

(Reporter: sstreich, Assigned: sstreich)

References

Details

(Keywords: csectype-sop, sec-high)

Attachments

(1 obsolete file)

Bug 1648445 - Remove bypassCORSChecks flags r=robwu 5 years ago Sebastian Streich [:sstreich] 47 bytes, text/x-phabricator-request		Details \| Review

Sebastian Streich [:sstreich]

Assignee

Description

•

5 years ago

As Rob described in Bug 1645204 , our handling of bypassCORSChecks leaves a huge vulnerably open for our users. Regressed by bug 1450965. Fortunately this was in 69, so ESR68 is not affected. As the next ESR release is so close, I would like to backout the changes made in bug 1450965.
We will still work on the fixing the original Bug in 1645204 asap.

i would like to remove the risk of shipping the vuln, since the original bug we tried to fix had only a small impact on users. Since the regressing patch did not land on ESR, backouting it would pose no negative effect for our esr users.

Sebastian Streich [:sstreich]

Assignee

Updated

•

5 years ago

Assignee: nobody → sstreich

Sebastian Streich [:sstreich]

Assignee

Comment 1

•

5 years ago

Attached file Bug 1648445 - Remove bypassCORSChecks flags r=robwu (obsolete) — Details

Sebastian Streich [:sstreich]

Assignee

Comment 2

•

5 years ago

[Tracking Requested - why for this release]: See Comment 0 🙈

status-firefox-esr78: --- → affected

tracking-firefox-esr78: --- → ?

Rob Wu [:robwu]

Comment 3

•

5 years ago

FYI: If the patch size is a concern, then note that the sec bug itself can be avoided by one patch with two small changes:

Daniel Veditz [:dveditz]

Updated

•

5 years ago

Group: core-security → dom-core-security

Keywords: csectype-sop, sec-high

Rob Wu [:robwu]

Comment 4

•

5 years ago

Since ESR78 has already shipped with the feature from bug 1450965, we shouldn't just back out the patch.

For that reason, I suggest to move the patch back to bug 1645204. That bug already has a real fix, so the patch here is just removal of unused code. There is not really a need for two separate bugs.

@sstreich, could you move this patch back to bug 1450965, and mark this bug as a duplicate of it?

Flags: needinfo?(sstreich)

Phabricator Automation

Comment 5

•

5 years ago

Comment on attachment 9159253 [details]
Bug 1648445 - Remove bypassCORSChecks flags r=robwu

Revision D80956 was moved to bug 1645204. Setting attachment 9159253 [details] to obsolete.

Attachment #9159253 - Attachment is obsolete: true

Sebastian Streich [:sstreich]

Assignee

Comment 6

•

5 years ago

sure, moved it back :)

Status: NEW → RESOLVED

Closed: 5 years ago

Flags: needinfo?(sstreich)

Resolution: --- → DUPLICATE

Ryan VanderMeulen [:RyanVM]

Updated

•

5 years ago

status-firefox-esr78: affected → wontfix

tracking-firefox-esr78: ? → -

Daniel Veditz [:dveditz]

Updated

•

2 years ago

Group: dom-core-security

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Backout - bypassCORSChecks

Categories

(Core :: Networking: HTTP, defect)

Tracking

()

People

(Reporter: sstreich, Assigned: sstreich)

References

Details

(Keywords: csectype-sop, sec-high)

Crash Data

Security

(public)

User Story

Attachments

(1 obsolete file)

Description

Updated

Comment 1

Comment 2

Comment 3

Updated

Comment 4

Comment 5

Comment 6

Updated

Updated

Attachment

General

Description

File Name

Content Type