NotificationDB.sys.mjs does not perform origin checks on received messages
Categories
(Core :: DOM: Notifications, defect)
Tracking
()
People
(Reporter: tjr, Unassigned)
References
(Blocks 1 open bug)
Details
This would allow a rogue content process to forge Notifications from another domain, which could be used for phishing-type attacks.
Updated•2 years ago
|
Updated•2 years ago
|
Comment 1•2 years ago
|
||
The severity field is not set for this bug.
:tspurway, could you have a look please?
For more information, please visit auto_nag documentation.
Comment 2•2 years ago
|
||
:mardak, could you take a quick look at this - it sounds a bit sinister
Comment 3•2 years ago
|
||
gerard-majax, do you recall if origin checks weren't necessary for some of these messages?
Comment 4•2 years ago
|
||
I see two NotificationDB.jsm
, which one are we talking about ?
Comment 5•2 years ago
|
||
This probably applies to both the old and new implementation (new is used on Nightly, old is used on other branches).
Comment 6•2 years ago
|
||
(In reply to Ed Lee :Mardak from comment #3)
gerard-majax, do you recall if origin checks weren't necessary for some of these messages?
I'm sorry, but this is code that was already there, and I really have no memory of that specific point. Is it possible this is code that back then was only exposed through privileged APIs and not to general content, and this we did not really had to care?
Comment 7•2 years ago
|
||
This code has only ever been exposed through privileged APIs. The concern is about privilege escalation when a content process gets taken over by a hostile website. eg if you visit evil dot com and that website manages to use an exploit to take over the child process, we don't want it to be able to start pushing out things that look like Gmail notifications.
Comment 8•2 years ago
|
||
(In reply to Andrew McCreight [:mccr8] from comment #7)
This code has only ever been exposed through privileged APIs. The concern is about privilege escalation when a content process gets taken over by a hostile website. eg if you visit evil dot com and that website manages to use an exploit to take over the child process, we don't want it to be able to start pushing out things that look like Gmail notifications.
My point being, I have no memory of specifically having to work on the origin
part, so I really dont remember anything specific about it. The only memory I have about it is being used for indexing in the database, and so I assume we expected code calling us to have done the checks.
Comment 9•2 years ago
|
||
The severity field is not set for this bug.
:tspurway, could you have a look please?
For more information, please visit auto_nag documentation.
Updated•2 years ago
|
Updated•11 months ago
|
Updated•16 days ago
|
Description
•