Closed
Bug 1655719
Opened 4 years ago
Closed 4 years ago
Inappropriate use of nsContentPolicyType::TYPE_OTHER in nsContentSecurityUtils::IsDownloadAllowed()
Categories
(Core :: DOM: Security, task, P2)
Core
DOM: Security
Tracking
()
RESOLVED
FIXED
81 Branch
Tracking | Status | |
---|---|---|
firefox81 | --- | fixed |
People
(Reporter: freddy, Assigned: sstreich)
References
(Blocks 1 open bug)
Details
(Whiteboard: [domsecurity-active])
Attachments
(1 file)
The file in https://searchfox.org/mozilla-central/source/dom/security/nsContentSecurityUtils.cpp#1131 is using TYPE_OTHER for a check on downloads.
Reporter | ||
Comment 1•4 years ago
|
||
I saw you implemented this recently and the function is passed a channel and creating a new loadinfo on-the-fly for a mixed content blocking check. Wouldn't it make sense to inherit the contentpolicytype from the existing channel?
Flags: needinfo?(sstreich)
Assignee | ||
Comment 2•4 years ago
|
||
Downloads caused by a navigation mostly have type_document or type_subdocument, which always pass the mixed-content blocker. So i chose type_other because there was no better option that gets the full mcb check.
Flags: needinfo?(sstreich)
Reporter | ||
Comment 3•4 years ago
|
||
I think we need to change Mixed Content Blocking to not give a free pass to to the TYPE_SAVEAS_DOWNLOAD anymore and use that in our callsite instead.
Assignee | ||
Updated•4 years ago
|
Assignee: nobody → sstreich
Status: NEW → ASSIGNED
Priority: -- → P2
Whiteboard: [domsecurity-active]
Assignee | ||
Comment 4•4 years ago
|
||
Pushed by cbrindusan@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/19abcf869c39 Make Type:SaveAsDownload subject to mixedContentBlocking r=ckerschb
Comment 6•4 years ago
|
||
bugherder |
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox81:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 81 Branch
You need to log in
before you can comment on or make changes to this bug.
Description
•