Closed Bug 1886558 Opened 3 months ago Closed 27 days ago

Content Analysis should not check any about: pages

Categories

(Firefox :: Data Loss Prevention, defect)

Product:
Firefox
Component:
Data Loss Prevention
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
128 Branch
Tracking Flags:
Tracking Status
firefox128 --- verified
firefox129 --- verified

People

(Reporter: gstoll, Assigned: gstoll)

References

Details

Attachments

(1 file)

Bug 1886558 - exempt about pages from DLP r=#dlp-reviewers!
48 bytes, text/x-phabricator-request
Details | Review

Our "usual" check for whether a page is exempt from DLP is something like BrowsingContext::IsChrome(). On D200979, emilio pointed out that only a few about: pages are loaded in chrome (specifically about:config, about:preferences, and about:support), and the rest are loaded in content.

We think it makes sense to make all about: pages exempt from DLP. Maybe the easiest way is to just add about:.* to the browser.contentanalysis.allow_url_regex_list list.

The severity field is not set for this bug.
:handyman, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(davidp99)
Severity: -- → S3
Flags: needinfo?(davidp99)

Does that mean someone can exfiltrate a password via about:logins?

DLP only covers pasting from the clipboard, not copying to the clipboard, so in any case it wouldn't cover this.

about:logins does support editing passwords and a user could be pasting in an updated password there. We're already considering this a bug, but we'll reconsider whether or not it must go into our 1.0 version.

Assignee: nobody → gstoll
Status: NEW → ASSIGNED
Pushed by gstoll@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/bfb8443208d5
exempt about pages from DLP r=dlp-reviewers,handyman

https://hg.mozilla.org/mozilla-central/rev/bfb8443208d5

Status: ASSIGNED → RESOLVED
Closed: 27 days ago
status-firefox128: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 128 Branch
Regressions: 1901065

Verified as fixed on Firefox 128.0b1 and on Firefox Nightly 129.0a1 (2024-06-10), using Windows 11. The about: pages (about:logins, about:config, about:preferences, about:addons, about:checkerboard) are exempt from DLP analysis (when using a policies.json that does not alter the pref value - e.g. policies-2.json).

I can also confirm that the browser.contentanalysis.allow_url_regex_list pref is set to ":(?!blank|srcdoc).*" (due to Bug 1901065).

Status: RESOLVED → VERIFIED
status-firefox128: fixedverified
status-firefox129: --- → verified
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: