Open Bug 1890739 Opened 1 year ago Updated 1 year ago

Consider making nsiPrincipal::webExposedOriginSerialization available to js

Tracking

()

Status:

NEW

People

(Reporter: zombie, Unassigned)

References

Details

(Whiteboard: [domsecurity-backlog3])

Tomislav Jovanovic :zombie

Reporter

Description

•

1 year ago

This was intentionally marked as [noscript] in D58537 to avoid confusion and misuse for security checks, but those risks should be mostly addressed after renaming in bug 1839920.

IMO the fact that we don't expose this is also a footgun in the other direction, people using the principal.origin or .originNoSuffix incorrectly when the intention is to return the origin as exposed to the web (see example in D206989).

(the correct thing to do currently is use new URL(prin.originNoSuffix).origin, but that comes with cognitive/memory/perf overhead).

Daniel Veditz [:dveditz]

Updated

•

1 year ago

Severity: -- → N/A

Priority: -- → P3

Frederik Braun [:freddy] (OOO - Back April 8th)

Updated

•

1 year ago

Whiteboard: [domsecurity-backlog3]

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Consider making nsiPrincipal::webExposedOriginSerialization available to js

Categories

(Core :: DOM: Security, enhancement, P3)

Tracking

()

People

(Reporter: zombie, Unassigned)

References

Details

(Whiteboard: [domsecurity-backlog3])

Crash Data

Security

(public)

User Story

Description

Updated

Updated