Closed
Bug 1725339
Opened 3 years ago
Closed 3 years ago
Restrict systemprincipal from loading type *SUBDOCUMENT* via HTTP, HTTPS and (maybe) data.
Categories
(Core :: DOM: Security, task)
Core
DOM: Security
Tracking
()
RESOLVED
FIXED
93 Branch
Tracking | Status | |
---|---|---|
firefox93 | --- | fixed |
People
(Reporter: freddy, Assigned: freddy)
References
(Blocks 1 open bug)
Details
(Whiteboard: [2021-H2][domsecurity-active])
Attachments
(1 file)
This patch will add a pref to blocking type DOCUMENT with scheme HTTP/HTTPS and another pref for scheme DATA.
The http/https is green on try and I propose for landing, as it is early in the cycle.
I'm also adding a patch that enforces this for data URLs, but it's still running on try. This part will only won't land as enabled unless the try run isn't immediately green.
Assignee | ||
Updated•3 years ago
|
Status: NEW → ASSIGNED
Whiteboard: [2021-H2][domsecurity-active]
Assignee | ||
Comment 1•3 years ago
|
||
Updated•3 years ago
|
Attachment #9235920 -
Attachment description: Bug 1725339 - Restrict systemprincipal from loading type *DOCUMENT* via HTTP, HTTPS and data schemes. r?ckerschb! → Bug 1725339 - Restrict systemprincipal from loading type *DOCUMENT* via HTTP, HTTPS and data schemes (data restriction preffed off). r?ckerschb!
Updated•3 years ago
|
Attachment #9235920 -
Attachment description: Bug 1725339 - Restrict systemprincipal from loading type *DOCUMENT* via HTTP, HTTPS and data schemes (data restriction preffed off). r?ckerschb! → Bug 1725339 - Restrict systemprincipal from loading type *DOCUMENT* via HTTP, HTTPS and data schemes (data restriction preffed OFF). r?ckerschb!
Pushed by fbraun@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/ed0cca70a9a5 Restrict systemprincipal from loading type *DOCUMENT* via HTTP, HTTPS and data schemes (data restriction preffed OFF). r=ckerschb
Comment 3•3 years ago
•
|
||
Backed out changeset ed0cca70a9a5 (Bug 1725339) for causing failures on nsContentSecurityManager.
Backout link
Push with failures
Failure Log
Multiple failures found - Failure Log and Failure Log
Flags: needinfo?(fbraun)
Updated•3 years ago
|
Attachment #9235920 -
Attachment description: Bug 1725339 - Restrict systemprincipal from loading type *DOCUMENT* via HTTP, HTTPS and data schemes (data restriction preffed OFF). r?ckerschb! → Bug 1725339 - Restrict systemprincipal from loading type *SUBDOCUMENT* via HTTP, HTTPS and data schemes (data restriction preffed OFF). r?ckerschb!
Assignee | ||
Comment 4•3 years ago
|
||
Changed approach, as discussed in meeting with ckerschb.
Flags: needinfo?(fbraun)
Summary: Restrict systemprincipal from loading type *DOCUMENT* via HTTP, HTTPS and (maybe) data. → Restrict systemprincipal from loading type *SUBDOCUMENT* via HTTP, HTTPS and (maybe) data.
Pushed by fbraun@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/38f039da1eb9 Restrict systemprincipal from loading type *SUBDOCUMENT* via HTTP, HTTPS and data schemes (data restriction preffed OFF). r=ckerschb
Comment 6•3 years ago
|
||
bugherder |
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox93:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 93 Branch
You need to log in
before you can comment on or make changes to this bug.
Description
•