Open
Bug 1917890
Opened 10 months ago
Updated 9 months ago
Require that WebChannels use https:// URLs
Categories
(Toolkit :: General, enhancement)
Toolkit
General
Tracking
()
NEW
People
(Reporter: mccr8, Unassigned)
References
(Depends on 1 open bug)
Details
Attachments
(1 file)
WebChannels allow chrome JS to grant powerful capabilities to specific websites. We should only allow this for sites using https:// so we don't have to worry about MITM problems. In practice, the two URI-based WebChannels we are currently using, for Firefox accounts and the profiler, do hard code https:// websites, so this is more of a defense in depth.
Changing the code is simple, but there are two blockers here that I can see
- Tests. There are a number of tests that create WebChannels (browser_remoteTroubleshoot.js, browser_fxa_web_channel.js, browser_web_channel.js and test_web_channel.js.) or set preferences to change the URL of the WebChannel (in devtools/client/performance-new/test/browser/, and browser_fxa_web_channel.js) that use http:// websites, for no particular reason I can see. I have patches for some of these.
- Firefox accounts user servers. A use of Firefox accounts can specify their own server via the preference
identity.fxaccounts.autoconfig.uri. Nothing restricts this to https and it is by definition set by a user so we don't know what people are actually doing. In the short term, maybe we have to add a carveout to skip the check if the URI comes from here. In the long term, it would likely be better if Firefox accounts enforces https there, too, but again who knows how much of an issue that will be.
|
Reporter | |
Comment 1•10 months ago
|
||
|
|
Reporter | |
Updated•10 months ago
|
Summary: Require WebChannels use https:// URLs → Require that WebChannels use https:// URLs
|
|
Reporter | |
Comment 2•10 months ago
|
||
One funny thing I noticed is that the you can technically pass in any object with a prePath property to the WebChannel constructor, rather than requiring that it is an nsIURI, which seems like a bad idea so I added a check.
| Comment hidden (obsolete) |
|
||
Updated•10 months ago
|
Flags: needinfo?(sclements)
| Comment hidden (obsolete) |
|
|
Reporter | |
Updated•9 months ago
|
Type: defect → enhancement
Flags: needinfo?(sclements)
You need to log in
before you can comment on or make changes to this bug.
Description
•