Closed Bug 1727803 Opened 4 years ago Closed 3 years ago

about:sync extension bypasses security mechanisms in the browser

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
93 Branch
Tracking Flags:
Tracking Status
firefox93 --- fixed

People

(Reporter: tjr, Assigned: tjr)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

Bug 1727803: Create security exemptions for about:sync and about:downloads r?freddyb
48 bytes, text/x-phabricator-request
Details | Review

While digging into crashes caused by unexpected Javascript being executed in the parent process (Bug 1727500) I happened to notice that the first several crashes I saw had the about:sync extension installed.

After I installed it in a debug build I immediately got a few violations that included:

Lack of a secure Content Security Policy - nsContentSecurityUtils::AssertAboutPageHasCSP: foundDefaultSrc (about: page must contain a CSP including default-src)

data: uris being loaded by the parent - data:,new function() {\n Components.utils.import(\"chrome://aboutsync/content/AboutSyncRedirector.js\");\n AboutSyncRedirector.register();\n}

It seems like this extension has a relatively small user-base (~1100 users per AMO) and is relatively stable (no new commits in 2 years.) (Unrelated, it's also pretty awesome; I had no idea it existed.)

Pushed by tritter@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/2664ad84ad11 Create security exemptions for about:sync and about:downloads r=freddyb
Depends on: 1728120
Blocks: 1728122
No longer depends on: 1728120

https://hg.mozilla.org/mozilla-central/rev/2664ad84ad11

Status: NEW → RESOLVED
Closed: 3 years ago
status-firefox93: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 93 Branch
Blocks: 1727770
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: