Closed Bug 1694183 Opened 3 years ago Closed 3 years ago

Cross-origin read SOP violation by extension via search provider via redirect

Categories

(Firefox :: Search, defect, P3)

Product:
Firefox
Component:
Search
Type:
defect
Points:
3

Tracking

()

Status:
RESOLVED FIXED
Milestone:
88 Branch
Iteration:
88.1 - Feb 22 - Mar 7
Tracking Flags:
Tracking Status
firefox-esr78 --- wontfix
firefox86 --- wontfix
firefox87 --- fixed
firefox88 --- fixed

People

(Reporter: standard8, Assigned: standard8)

References

Details

(Keywords: csectype-other, sec-low, Whiteboard: [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage][adv-main87-])

Attachments

(2 files)

Bug 1694183 - When loading icons, use the content type of the final target, not a redirect response. r?mak!
48 bytes, text/x-phabricator-request
RyanVM
: approval-mozilla-beta+
Details | Review
Bug 1694183 - Add tests to ensure that search icons are correctly loaded via redirects. r?mak!
48 bytes, text/x-phabricator-request
Details | Review

+++ This bug was initially created as a clone of Bug #1692623 +++

This bug is to address fixing the case from bug 1692623 comment 11, where a icon URL that is pointing to a redirect could still load a resource that is not an image url.

This will also fix handling of content types when a redirect is involved.

Group: firefox-core-security

https://hg.mozilla.org/mozilla-central/rev/2c32450f0125

Group: firefox-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 3 years ago
status-firefox86: --- → wontfix
status-firefox87: --- → affected
status-firefox88: --- → fixed
status-firefox-esr78: --- → fix-optional
Resolution: --- → FIXED
Target Milestone: --- → 88 Branch
Group: cloud-services-security

For QA: This is harder to test, since it would need something that redirected with the wrong content type. I think we can probably qe-verify- here as we've got tests.

Flags: qe-verify-

Comment on attachment 9204617 [details]
Bug 1694183 - When loading icons, use the content type of the final target, not a redirect response. r?mak!

Beta/Release Uplift Approval Request

  • User impact if declined: We should probably uplift this so it is released at the same time as its partner bug - bug 1692623, though I don't think it is critical.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: No
  • If yes, steps to reproduce: Difficult for QA to reproduce without custom set-up.
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Small change to correct how redirects and content types are working. We already have tests (not landed yet due to security issue) to check it works.
  • String changes made/needed: None
Attachment #9204617 - Flags: approval-mozilla-beta?
Attachment #9204618 - Flags: approval-mozilla-beta?
Attachment #9204618 - Flags: approval-mozilla-beta?

Comment on attachment 9204617 [details]
Bug 1694183 - When loading icons, use the content type of the final target, not a redirect response. r?mak!

Approved for 87.0b3.

Attachment #9204617 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

From earlier discussion with Mark, I don't believe this needs backport to ESR. Feel free to nominate if you feel strongly otherwise, however.

status-firefox-esr78: fix-optionalwontfix
Whiteboard: [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage] → [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage][adv-main87-]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: