Open Bug 1712580 Opened 4 years ago Updated 2 years ago

Intelligently handle file: origins w.r.t. Spectre

Categories

(Core :: Security, task)

Product:
Core
Component:
Security
Type:
task

Tracking

()

People

(Reporter: tjr, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [spectre-blocker][sp3])

As described on github and especially in chromium's bugtracker - if an attacker is running a script in a file:// origin, it can use <img> (but not fetch) to get local files in-memory, including things like the cookie jar. Before we disable Spectre mitigations we should ensure we have some mitigations in place for this.

Chrome seems to be headed down a path that does both Site Isolation for file:// origins and some form of CORB for cross-directory requests.

In the shorter term, we could also just not disable Spectre mitigations for file:// origins (and only web origins).

How does this relate to JavaScript JITs? Did you meant to set a different component?

Flags: needinfo?(tom)

Preset when filing.

Component: JavaScript Engine: JIT → Security
Flags: needinfo?(tom)

We discussed this and consider it a blocker for disabling Spectre mitigations.

file:// origins are pretty icky for a lot of reasons, so not disabling spectre mitigations feels like a reasonable goal in the short/medium term.

Whiteboard: [spectre-blocker]
Depends on: 1734202
Severity: -- → S4
Type: defect → task
Severity: S4 → N/A
Whiteboard: [spectre-blocker] → [spectre-blocker][sp3]
You need to log in before you can comment on or make changes to this bug.