1907303 - Firefox DLP scan not happening after pasting clipboard data in content editable area from another Firefox window

Status: VERIFIED FIXED

(Firefox :: Data Loss Prevention, defect, P2)

Description

[Alexandru Trif, Desktop Test Engineering [:atrif]]

Attachment: dlp_content.gif

Found in

• 129.0b2

Affected versions

• 130.0a1 (2024-06-10)
• 129.0b2

Tested platforms

• Affected platforms: Windows 10x64, Windows 11
• Unaffected platforms: macOS, Ubuntu

Preconditions

• Download the DLP test assets from https://drive.google.com/file/d/1yjqVRuxdKV3WnO7D2wzMgDXBuYBxUgVw/view
• Create a distribution folder inside the Firefox folder and paste the policies-2.json to it and then rename it to policies.json
• run the DLP agent in CMD using: .\content_analysis_sdk_agent.exe --user --toblock=.\d{3}-?\d{2}-?\d{4}. --towarn=.warn. --delays=10

Steps to reproduce

1. Open https://en.wikipedia.org/wiki/1234567890 and open another Firefox window.
2. In the new window open https://developer.mozilla.org/en-US/docs/Web/HTML/Global_attributes/contenteditable.
3. Copy 123456789 from one window and paste it inside the output area of the second window.

Expected result

• DLP scan is started and the content is not pasted.

Actual result

• No DLP scan is happening and the content is pasted.

Regression range

• Not a regression. New feature.

Additional notes

• Attached a screen recording.
• This is also happening while copying content from another Firefox instance.
• This issue is not reproducible while copying content from Notepad.

Comment 1

[Greg Stoll :gstoll]

It looks like the problem is that we're failing to get text/html data from the nsITransferable. Not sure why yet.

Comment 2

[Greg Stoll :gstoll]

I think we need to handle the application/x-moz-nativehtml datatype.

Comment 3

[Greg Stoll :gstoll]

Attachment: Bug 1907303 - make Content Analysis check native clipboard format as well r=#dlp-reviewers!

Comment 4

[Pulsebot]

Pushed by gstoll@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/1c21c5bc6bd3
make Content Analysis check native clipboard format as well r=dlp-reviewers,handyman

Comment 5

[Sandor Molnar[:smolnar]]

https://hg.mozilla.org/mozilla-central/rev/1c21c5bc6bd3

Comment 6

[BugBot [:suhaib / :marco/ :calixte]]

The patch landed in nightly and beta is affected.
:gstoll, is this bug important enough to require an uplift?

• If yes, please nominate the patch for beta approval.
• If no, please set status-firefox129 to wontfix.

For more information, please visit BugBot documentation.

Comment 7

[Greg Stoll :gstoll]

Attachment: Bug 1907303 - make Content Analysis check native clipboard format as well r=#dlp-reviewers!

• Check for native Windows clipboard format (kNativeHTMLMime) as well as plain text and HTML
• Make CheckClipboardContentAnalysisAsText() check for nsISupportsCString as well as nsISupportsString, as the kNativeHTMLMime format uses nsISupportsCString.
• Update test to correctly check pasting when copying from Firefox - if allowPaste is false, the paste should not happen. This test was wrong before this change and would have shown this problem if it had been correct.

Original Revision: https://phabricator.services.mozilla.com/D216358

Comment 8

[Phabricator Automation]

beta Uplift Approval Request

• User impact if declined: Users will be able to circumvent DLP agents
• Code covered by automated testing: yes
• Fix verified in Nightly: no
• Needs manual QE test: no
• Steps to reproduce for manual QE testing: n/a - QA already has a test plan for all of DLP and they will keep running this test plan in Beta after this lands
• Risk associated with taking this patch: low
• Explanation of risk level: only affects DLP, and QA will run manual tests in Beta after this lands
• String changes made/needed: no
• Is Android affected?: no

Comment 9

[Pulsebot]

https://hg.mozilla.org/releases/mozilla-beta/rev/a96ec2bfd9ad

Comment 10

[Alexandru Trif, Desktop Test Engineering [:atrif]]

Verified fixed with Firefox 130.0a1 (2024-07-17) and Firefox 129.0b6 (20240717192236) from comment 9. Pasting content from another Firefox window into the content editable area will trigger the DLP scan. I am setting esr 128 as affected for better tracking.

Comment 11

[Greg Stoll :gstoll]

Attachment: Bug 1907303 - make Content Analysis check native clipboard format as well

• Check for native Windows clipboard format (kNativeHTMLMime) as well as plain text and HTML
• Make CheckClipboardContentAnalysisAsText() check for nsISupportsCString as well as nsISupportsString, as the kNativeHTMLMime format uses nsISupportsCString.
• Update test to correctly check pasting when copying from Firefox - if allowPaste is false, the paste should not happen. This test was wrong before this change and would have shown this problem if it had been correct.

Original Revision: https://phabricator.services.mozilla.com/D216358

Comment 12

[Greg Stoll :gstoll]

esr128 Uplift Approval Request

• User impact if declined: Users will be able to circumvent DLP agents
• Code covered by automated testing: yes
• Fix verified in Nightly: yes
• Needs manual QE test: no
• Steps to reproduce for manual QE testing: n/a
• Risk associated with taking this patch: low
• Explanation of risk level: only affects DLP
• String changes made/needed: no
• Is Android affected?: no

Comment 13

[Pulsebot]

https://hg.mozilla.org/releases/mozilla-esr128/rev/6bbd42968244

Comment 14

[Alexandru Trif, Desktop Test Engineering [:atrif]]

Verified as fixed on Firefox 128.3.0esr, build ID 20240911002735 (from Treeherder), using Windows 10/11.