Closed Bug 1689420 Opened 4 years ago Closed 4 years ago

Fix origin header for null principal content dialogs (e.g. alert/prompt/confirm from data: URI pages or sandboxed iframes)

Categories

(Toolkit Graveyard :: Notifications and Alerts, defect, P1)

Product:
Toolkit Graveyard
Component:
Notifications and Alerts
Platform:
Desktop
All
Type:
defect

Tracking

(firefox-esr78 unaffected, firefox85 unaffected, firefox86 wontfix, firefox87 fixed)

Status:
RESOLVED FIXED
Milestone:
87 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- unaffected
firefox85 --- unaffected
firefox86 --- wontfix
firefox87 --- fixed

People

(Reporter: dholbert, Assigned: mtigley)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression, Whiteboard: [proton-modals])

Attachments

(2 files)

screenshot
20.89 KB, image/png
Details
Bug 1689420 - Fix origin header for null principal content dialogs. r?Gijs
48 bytes, text/x-phabricator-request
Details | Review

STR:
(1) Visit data:text/html,<script>alert("hi");</script>
(2) Look at the alert that appears.

ACTUAL RESULTS:
The alert has this line of header text:

The page at moz-nullprincipal: says:

EXPECTED RESULTS:
We shouldn't be using moz-nullprincipal: in user-facing strings.

This principal is perhaps something we should be checking for as a special-case (in our JS), and just using a simpler header string like This page says:

I'm using Nightly 87.0a1 (2021-01-27) (64-bit)

Looks like this text was added in bug 1682393.

Micah, mind taking a look? Could we add a special-case for alerts from moz-nullprincipal: to avoid putting that string in front of users?

Depends on: 1682393
Flags: needinfo?(tigleym)
Attached image screenshot
Severity: -- → S3
Priority: -- → P3
Summary: In JS alert() from data URI, there's a header "The page at moz-nullprincipal: says:" → Fix origin header for null principal alerts (e.g. from data: URI pages)
Whiteboard: [proton-modals]
OS: Unspecified → All
Hardware: Unspecified → Desktop
Summary: Fix origin header for null principal alerts (e.g. from data: URI pages) → Fix origin header for null principal content dialogs (e.g. alert/prompt/confirm from data: URI pages or sandboxed iframes)
Version: unspecified → Trunk

Yep, I can take a look!

Assignee: nobody → mtigley
Blocks: proton-modals
Status: NEW → ASSIGNED
Regressed by: 1682393

Set release status flags based on info from the regressing bug 1682393

status-firefox85: --- → unaffected
status-firefox86: --- → affected
status-firefox87: --- → affected
status-firefox-esr78: --- → unaffected
Flags: needinfo?(tigleym)

As noted on phabricator, it's a recent regression (held to nightly + early beta) for toplevel data: URIs, but the same bug actually pre-dated all our changes here, for the sandboxed iframes. The regressor there was bug 1594781

Regressed by: 1594781
No longer regressed by: 1682393
Has Regression Range: --- → yes

The Bugbug bot thinks this bug should belong to the 'Core::DOM: Security' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.

Component: General → DOM: Security
Product: Firefox → Core

The product::component has been changed since the backlog priority was decided, so we're resetting it.
For more information, please visit auto_nag documentation.

Priority: P3 → --
Component: DOM: Security → Notifications and Alerts
Priority: -- → P1
Product: Core → Toolkit
Pushed by mtigley@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/85fc997b1e57 Fix origin header for null principal content dialogs. r=Gijs

https://hg.mozilla.org/mozilla-central/rev/85fc997b1e57

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox87: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 87 Branch

The patch landed in nightly and beta is affected.
:mtigley, is this bug important enough to require an uplift?
If not please set status_beta to wontfix.

For more information, please visit auto_nag documentation.

Flags: needinfo?(mtigley)
Flags: needinfo?(mtigley)
See Also: → 1786514
Product: Toolkit → Toolkit Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: