Closed Bug 1655719 Opened 2 years ago Closed 2 years ago

Inappropriate use of nsContentPolicyType::TYPE_OTHER in nsContentSecurityUtils::IsDownloadAllowed()

Categories

(Core :: DOM: Security, task, P2)

task

Tracking

()

RESOLVED FIXED
81 Branch
Tracking Status
firefox81 --- fixed

People

(Reporter: freddy, Assigned: sstreich)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-active])

Attachments

(1 file)

I saw you implemented this recently and the function is passed a channel and creating a new loadinfo on-the-fly for a mixed content blocking check. Wouldn't it make sense to inherit the contentpolicytype from the existing channel?

Flags: needinfo?(sstreich)

Downloads caused by a navigation mostly have type_document or type_subdocument, which always pass the mixed-content blocker. So i chose type_other because there was no better option that gets the full mcb check.

Flags: needinfo?(sstreich)

I think we need to change Mixed Content Blocking to not give a free pass to to the TYPE_SAVEAS_DOWNLOAD anymore and use that in our callsite instead.

Assignee: nobody → sstreich
Status: NEW → ASSIGNED
Priority: -- → P2
Whiteboard: [domsecurity-active]
Pushed by cbrindusan@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/19abcf869c39
Make Type:SaveAsDownload subject to mixedContentBlocking r=ckerschb
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 81 Branch
Regressions: 1662138
You need to log in before you can comment on or make changes to this bug.