DOM Sanitizer API should parse into a throw-away "loaded as data" document
Categories
(Core :: DOM: Security, defect, P2)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr78 | --- | unaffected |
| firefox81 | --- | unaffected |
| firefox82 | --- | wontfix |
| firefox83 | --- | disabled |
| firefox88 | --- | wontfix |
| firefox89 | --- | wontfix |
| firefox90 | --- | fixed |
People
(Reporter: hsivonen, Assigned: freddy)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: regression, sec-moderate, Whiteboard: [domsecurity-active][post-critsmash-triage][adv-main90-])
Attachments
(1 file)
Currently, dom/security/sanitizer/Sanitizer.cpp uses a DocumentFragment whose owner is the document of the script global.
To avoid initiating fetches for img/audio/etc. src if the node gets removed by the sanitizer, the DocumentFragment used as parsing target should belong to a Document that has its "loaded as data" bit set.
|
Reporter | |
Updated•4 years ago
|
|
|
Reporter | |
Comment 1•4 years ago
|
||
The relevant Web-exposed API is preffed off, but the same problem applies elsewhere, too. Let's keep this bug hidden as long as the related bugs are.
|
Assignee | |
Comment 2•4 years ago
|
||
I can take it, but I'm going to have questions down the line. Thanks for filing, Henri!
|
||
Comment 3•4 years ago
|
||
Set release status flags based on info from the regressing bug 1652481
|
||
Updated•4 years ago
|
|
|
Reporter | |
Updated•4 years ago
|
|
|
Reporter | |
Comment 4•4 years ago
|
||
(In reply to Frederik Braun [:freddy] from comment #2)
I can take it, but I'm going to have questions down the line. Thanks for filing, Henri!
Bug 1666300 part 2 provides a function that will be of use here.
|
||
Updated•4 years ago
|
|
||
Updated•4 years ago
|
|
|
Assignee | |
Comment 5•4 years ago
|
||
Masato Kinugawa (now in CC) found the same thing.
The Sanitizer API will make requests when parsing markup with external resources and really shouldn't.
E.g., (new Sanitizer()).sanitize("<img src='https://example.com'></img>")
|
|
Assignee | |
Comment 6•4 years ago
|
||
|
||
Comment 7•4 years ago
|
||
Landed: https://hg.mozilla.org/integration/autoland/rev/3907dd86dd7151339fa556b5395bb8e12a6afc59
Backed out because it was not intended to land: https://hg.mozilla.org/integration/autoland/rev/1659fc495cb441a8e2b37ff835842797149f2a5f
|
|
||
Comment 8•4 years ago
|
||
use inert document within Sanitizer API r=hsivonen
https://hg.mozilla.org/integration/autoland/rev/eb9d5a5e536db27799161a7883a925a979411d3a
https://hg.mozilla.org/mozilla-central/rev/eb9d5a5e536d
|
||
Updated•4 years ago
|
|
|
||
Comment 9•4 years ago
|
||
The patch landed in nightly and beta is affected.
:freddy, is this bug important enough to require an uplift?
If not please set status_beta to wontfix.
For more information, please visit auto_nag documentation.
|
|
Assignee | |
Comment 10•4 years ago
|
||
It's a disabled configuration and we're explicitly asking for folks to test on Nightly. I don't think the uplift is justified.
I'm wondering if a status of "disabled" is better than "wontfix" for the general analyses? Both apply here and I'm taking the bots recommendation.
|
||
Comment 11•4 years ago
|
||
Could this be manualy verified? If yes, please help us with some specific steps or a testcase.
|
|
Assignee | |
Comment 12•4 years ago
|
||
No need, the patch comes with an automated test.
|
|
||
Updated•4 years ago
|
|
||
Updated•4 years ago
|
|
|
||
Comment 14•4 years ago
|
||
Actually, if this is disabled in release we don't need an advisory.
|
|
||
Updated•3 years ago
|
|
||
Updated•3 years ago
|
Description
•