Closed
Bug 1652707
Opened 5 years ago
Closed 4 years ago
nsContentSecurityUtils::IsEvalAllowed should use filename comparison instead of StringBeginsWith
Categories
(Core :: DOM: Security, enhancement, P3)
Core
DOM: Security
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: freddy, Assigned: holaszyd1)
References
Details
(Keywords: good-first-bug, Whiteboard: [domsecurity-backlog1])
Attachments
(1 obsolete file)
When going through the loop of allowlist entries, we use a StringBeginsWith check to ensure we do not sumble over script locations like resource://gre/modules/workers/require.js line 138 > Function.
Instead, we might be able to use
nsCOMPtr<nsIStackFrame> location = GetCurrentJSStack(1)
JSContext* cx = nsContentUtils::GetCurrentJSContext();
location->GetFilename(cx, caller);
and compare those instead
|
||
Updated•5 years ago
|
Whiteboard: [domsecurity-backlog1]
|
||
Updated•4 years ago
|
Assignee: nobody → holaszyd1
Status: NEW → ASSIGNED
|
|
||
Updated•4 years ago
|
Attachment #9249254 -
Attachment description: Bug 1652707- nsContentSecurityUtils::IsEvalAllowed should use filename comparison instead of StringBeginsWith. r?freddyb → Bug 1652707- nsContentSecurityUtils::IsEvalAllowed should use filename comparison instead of StringBeginsWith.. r?freddyb
|
|
||
Updated•4 years ago
|
Attachment #9249254 -
Attachment description: Bug 1652707- nsContentSecurityUtils::IsEvalAllowed should use filename comparison instead of StringBeginsWith.. r?freddyb → Bug 1652707- nsContentSecurityUtils::IsEvalAllowed should use filename comparison instead of StringBeginsWith... r?freddyb
|
|
||
Updated•4 years ago
|
Attachment #9249254 -
Attachment description: Bug 1652707- nsContentSecurityUtils::IsEvalAllowed should use filename comparison instead of StringBeginsWith... r?freddyb → Bug 1652707- nsContentSecurityUtils::IsEvalAllowed should use filename comparison instead of StringBeginsWith.... r?freddyb
|
|
||
Updated•4 years ago
|
Attachment #9249254 -
Attachment description: Bug 1652707- nsContentSecurityUtils::IsEvalAllowed should use filename comparison instead of StringBeginsWith.... r?freddyb → Bug 1652707- nsContentSecurityUtils::IsEvalAllowed should use filename comparison instead of StringBeginsWith. r?tjr
|
||
Comment 3•4 years ago
|
||
It turns out we can't fix this. The prefix-based comparison is needed because an exact match will need to include the line number of the offending call; and hardcoding that is too brittle. Performing a regex match (on the hot path) would be prohibitively expensive and wouldn't work off-main-thread. Emulating a regex match would be possible, but complicated and doesn't seem worth it for the versatility we have here.
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → WONTFIX
|
|
||
Updated•1 year ago
|
Attachment #9249254 -
Attachment is obsolete: true
You need to log in
before you can comment on or make changes to this bug.
Description
•