Closed Bug 1650951 Opened 4 years ago Closed 4 years ago

Regression: Credit card logos no longer displayed

Categories

(Toolkit :: Form Autofill, defect, P1)

Product:
Toolkit
Component:
Form Autofill
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla80
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox-esr78 --- unaffected
firefox78 --- unaffected
firefox79 --- unaffected
firefox80 --- fixed

People

(Reporter: abr, Assigned: ckerschb)

References

(Regression)

Details

(Keywords: regression)

The patch for Bug 1145314 makes it impossible for resource://-loaded files to access chrome://-loaded files, which breaks access to credit card logos from our .css files. As a consequence, credit card logos no longer appear in the popup.

The fix should look similar to this: https://phabricator.services.mozilla.com/D78896

The potentially impacted files are: https://searchfox.org/mozilla-central/search?q=chrome%3A%2F%2Fformautofill%2F&path=

Chris -- can you take a look at the potentially impacted files above and let us know whether there are any other gotchas we need to look out for here?

Flags: needinfo?(ckerschb)
Whiteboard: [cc-autofill-mvp]

(In reply to Adam Roach [:abr] from comment #0)

Chris -- can you take a look at the potentially impacted files above and let us know whether there are any other gotchas we need to look out for here?

The quick fix is to backout Bug 1145314, which is on the way as of this writing. Then I'll instrument the code to get some more verbose logging which we can audit using TRY server. I'll do all that within Bug 1145314. Sorry for the breakage and thanks for filing.

Flags: needinfo?(ckerschb)

So can this be marked fixed now? What sort of security rating would this get, anyway -- is it a security issue to not show those logos? Should this be MoCo confidential instead if we're trying to lay low on the CC thing?

Flags: needinfo?(adam)

(In reply to Daniel Veditz [:dveditz] from comment #2)

So can this be marked fixed now? What sort of security rating would this get, anyway -- is it a security issue to not show those logos? Should this be MoCo confidential instead if we're trying to lay low on the CC thing?

Yeah, I'm not sure about the transitivity of the use of the security sensitive flag. As I don't fully understand the underlying security issue being addressed here, I'm trying not to shine a spotlight on the nature of the fix, and a patch to fix this would have probably done that. Feel free to pull the security markings off this bug if you don't think that's a concern.

Flags: needinfo?(adam)

Fixed by backout of bug 1145314

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Whiteboard: [cc-autofill-mvp]
Assignee: nobody → ckerschb
Group: firefox-core-security → core-security-release
status-firefox78: --- → unaffected
status-firefox79: --- → unaffected
status-firefox80: --- → fixed
status-firefox-esr68: --- → unaffected
status-firefox-esr78: --- → unaffected
Target Milestone: --- → mozilla80
Group: core-security-release
Has Regression Range: --- → yes
Keywords: regression
You need to log in before you can comment on or make changes to this bug.