Missing security checks for file:// protocol for fetching sourceMapURL for CSS/JS from devtools
Categories
(DevTools :: Framework, defect)
Tracking
(Not tracked)
People
(Reporter: jdescottes, Unassigned)
References
Details
(Keywords: sec-moderate)
Follow up to Bug 1754066.
We prevented requests to chrome & resource URLs in Bug 1754066, but we still need to decide if we want to restrict the usage of file:// protocol.
As a reminder Chrome to also allow their devtools to fetch sourcemaps using file:// protocol, whereas Safari is more restrictive, only allowing file:// if the document is served by file://
|
Reporter | |
Comment 1•3 years ago
|
||
Hi Dan,
This is a followup bug dedicated to file:// protocol, can you assess the security keyword we should use here?
Also I guess I messed up when creating the bug. I wanted to file it as a security bug, but it only ended up as Confidential, sorry about this :(
|
||
Comment 2•3 years ago
|
||
I'm sympathetic to the use-case, but Safari is actually correct here. It's consistent with how file:// references are treated from web content everywhere else, and file:// links can be used maliciously to prevent someone from debugging pages by pointing at special device names and causing a hang. It's easy enough for a developer to run a localhost server these days
As a special case I wouldn't mind a pref (or devtools setting UI option) that allowed file:// sourceMaps as long as it was opt-in and not the default behavior. I'd like a per-origin permission even better: debugging my own site is one thing, but that doesn't mean I have to be exposed if I poke around a little on any other site where file:// sourceMaps do me no good.
|
|
Reporter | |
Comment 3•3 years ago
|
||
This will be handled completely in Bug 1756763
|
||
Updated•3 years ago
|
|
|
||
Updated•2 years ago
|
Description
•