Use parent process values rather than content process values in ClickHandlerParent and ContextMenuParent
Categories
(Firefox :: Tabbed Browser, enhancement, P1)
Tracking
()
People
(Reporter: nika, Assigned: nika)
References
(Blocks 1 open bug)
Details
(Keywords: csectype-sandbox-escape, sec-want, Whiteboard: [post-critsmash-triage][adv-main110-])
Attachments
(2 files)
Currently we trust arbitrary values for things like the triggering principal sent by content when loading links from ClickHandlerParent and ContextMenuParent, however the relevant principals are already available in the parent process on the actor objects. We should use the parent process values instead of sending them over unstructured JS IPC.
Assignee | ||
Comment 1•2 years ago
|
||
Currently we are sending some values, such as principals, from the content
process when creating a nsContextMenu. This information is already available in
the parent process on WindowGlobalParent, so changes the code to fetch the
values from there instead.
Assignee | ||
Comment 2•2 years ago
|
||
Currently we are sending some values, such as principals, from the content
process when handling clicks from the ClickHandler actor. This information is
already available in the parent process on WindowGlobalParent, so changes the
code to fetch the values from there instead.
Depends on D161835
Updated•1 year ago
|
Updated•1 year ago
|
Comment 3•1 year ago
|
||
Should this be a dep of Bug 1505832?
Updated•1 year ago
|
Assignee | ||
Comment 4•1 year ago
|
||
It's not really an information discovery issue, like what Fission was originally aimed to prevent. This sort of bug would require compromising the content process, not just exercising a spectre-like gadget to read its memory. That being said, the wording of bug 1505832 I suppose could include this as it's quite broad.
Comment 5•1 year ago
|
||
Yeah; 1505832 is really a meta bug for "Bad things a compromised content process can do by impersonating another origin". (So it's not for all sandbox escapes since they usually don't require impersonating another origin)
Comment 6•1 year ago
|
||
There are some r+ patches which didn't land and no activity in this bug for 2 weeks.
:nika, could you have a look please?
If you still have some work to do, you can add an action "Plan Changes" in Phabricator.
For more information, please visit auto_nag documentation.
Updated•1 year ago
|
Assignee | ||
Comment 7•1 year ago
|
||
I believe I still have some test failures for this patch stack which I need to look into before landing.
Comment 8•1 year ago
|
||
Backed out for causing mochitest failures in referrer/browser_referrer_open_link_in_container_tab2.js
Backout link: https://hg.mozilla.org/integration/autoland/rev/1209eebe76f27d7c03aa40aaa2d4be75fa7e3c74
INFO - Buffered messages finished
[task 2022-12-13T00:37:23.617Z] 00:37:23 INFO - TEST-UNEXPECTED-FAIL | browser/base/content/test/referrer/browser_referrer_open_link_in_container_tab2.js | policy=[undefined] rel=[undefined] http:// -> http:// - Got "", expected "http://test1.example.com/browser"
[task 2022-12-13T00:37:23.617Z] 00:37:23 INFO - Stack trace:
Comment 9•1 year ago
|
||
Part 1: Stop sending some values from a content process in nsContextMenu, r=Gijs,extension-reviewers,robwu
https://hg.mozilla.org/integration/autoland/rev/8694ca5957b766e1f81deb60cbb09084ed1d6a73
https://hg.mozilla.org/mozilla-central/rev/8694ca5957b7
Part 2: Stop sending some values from a content process in ClickHandler, r=Gijs
https://hg.mozilla.org/integration/autoland/rev/a868f954be082e15cc006e9612f25339c4e8bd89
https://hg.mozilla.org/mozilla-central/rev/a868f954be08
Updated•1 year ago
|
Updated•1 year ago
|
Updated•1 year ago
|
Updated•6 months ago
|
Description
•