1767581 - Restrict privileged about principals from loading type *SCRIPT* via HTTP, HTTPS

Status: RESOLVED FIXED

(Core :: DOM: Security, task, P2)

Description

[Daniel Veditz [:dveditz]]

+++ This bug was initially created as a clone of Bug #1767395 +++

what bug 1767395 is doing for SystemPrincipal contexts, we should also do for semi-privileged about: and Web Extension contexts.

Should double-check w/Web Extension folks that this is OK, but since they already have a policy against remote loading of script, it should be fine to enforce it in code.

Comment 1

[Frederik Braun [:freddy]]

Ah, we do not have a notion of a "semi-privileged about context", but it might be easier to just do it based on the process type (e.g., https://searchfox.org/mozilla-central/rev/997a56b018662e2940c99bbaf57a6ac9d1aa5422/dom/ipc/ProcessIsolation.cpp#123-150).
I'll throw together a prototype.

For WebExtensions, I'm not sure if a process-based or a principal-based restriction would work and there are various questions:

• What about privileged Mozilla extensions? Do they run in the parent or in the WebExt process? Do they need to run external script?
• Do we allow weird shenanigans for enterprisey extensions?

Hoping to get an answer from the extension folks :)

Comment 2

[Andreas Wagner [:TheOne] [use NI]]

This sounds good to me on a high-level but I don't know enough about Firefox internals to fully understand all consequences and identify potential edge-cases. Shane, could you weigh in here and flag this for others in the team could provide input?

Comment 3

[Frederik Braun [:freddy]]

Attachment: Bug 1767581 - refactor systemprincipal restrictions, disallow loads without finaluri r?ckerschb,dveditz

This is a bit of a refactor. We need to remove an early-return
for loads that are not from the SystemPrincipal, which moves
some easier checks (allowed content-types) up, to allow for more
efficient early returns.

We'll keep the spagetthi code for existing checks, to be able
to easily iterate and pref-flip if things fail later in the cycle.

This also resolves bug 1638770 and removes the "disallow all"
-pref that proved not be a useful approach anyway.

Comment 4

[Shane Caraveo (:mixedpuppy)]

Please file a separate bug for webextensions.

We'll have to think through this (I haven't as of writing this comment). I'd certainly be inclined to make it happen at least for MV3.

they already have a policy against remote loading of script, it should be fine

Having a policy, and real world can be different things

Comment 5

[Frederik Braun [:freddy]]

Attachment: Bug 1767581 - restrict loads of http/https scripts in the privilegedabout process r?dveditz,ckerschb,tjr

Depends on D145411

Comment 7

[Pulsebot]

Pushed by fbraun@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/9e1c758297d8
refactor systemprincipal restrictions, disallow loads without finaluri r=ckerschb,tjr
https://hg.mozilla.org/integration/autoland/rev/b892e222c4d5
restrict loads of http/https scripts in the privilegedabout process r=dveditz

Comment 8

[Iulian Moraru]

https://hg.mozilla.org/mozilla-central/rev/9e1c758297d8
https://hg.mozilla.org/mozilla-central/rev/b892e222c4d5