Closed Bug 1942025 Opened 1 year ago Closed 1 year ago

The CSP of about:privatebrowsing is too permissive

Tracking

()

Status:

RESOLVED FIXED

Milestone:

136 Branch

Tracking Flags:

Tracking

Status

firefox-esr115

---

wontfix

firefox-esr128

---

wontfix

firefox134

---

wontfix

firefox135

---

wontfix

firefox136

fixed

People

(Reporter: tschuster, Assigned: tschuster)

References

Details

(Keywords: sec-want, Whiteboard: [adv-main136-])

Attachments

(1 file)

Bug 1942025 - Improve the about:privatebrowsing CSP. r?#firefox-desktop-core-reviewers 1 year ago Tom Schuster 48 bytes, text/x-phabricator-request		Details \| Review

Tom Schuster

Assignee

Description

•

1 year ago

The about:privatebrowsing page uses the following CSP policy: default-src chrome: blob:; object-src 'none'. This means scripts/styles etc. can be loaded dynamically from a blob URL. I didn't immediately see where this page even uses blobs. All our default-src policy should only include chrome: and resource:.

Tom Schuster

Assignee

Comment 1

•

1 year ago

It seems like we load the logo inside the search bar from a blob URL.

Tom Schuster

Assignee

Comment 2

•

1 year ago

Attached file Bug 1942025 - Improve the about:privatebrowsing CSP. r?#firefox-desktop-core-reviewers — Details

Phabricator Automation

Updated

•

1 year ago

Assignee: nobody → tschuster

Status: NEW → ASSIGNED

Tom Schuster

Assignee

Updated

•

1 year ago

Keywords: sec-want

Pulsebot

Comment 3

•

1 year ago

Pushed by tschuster@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/32d761bfc411 Improve the about:privatebrowsing CSP. r=firefox-desktop-core-reviewers ,Gijs

Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)

Comment 4

•

1 year ago

https://hg.mozilla.org/mozilla-central/rev/32d761bfc411

Group: firefox-core-security → core-security-release

Status: ASSIGNED → RESOLVED

Closed: 1 year ago

status-firefox136: --- → fixed

Resolution: --- → FIXED

Target Milestone: --- → 136 Branch

Donal Meehan [:dmeehan]

Updated

•

1 year ago

status-firefox134: --- → wontfix

status-firefox135: --- → affected

status-firefox-esr115: --- → wontfix

status-firefox-esr128: --- → affected

tracking-firefox135: --- → +

tracking-firefox136: --- → +

tracking-firefox-esr128: --- → 135+

BugBot [:suhaib / :marco/ :calixte]

Comment 5

•

1 year ago

The patch landed in nightly and beta is affected.
:tschuster, is this bug important enough to require an uplift?

If yes, please nominate the patch for beta approval.
If no, please set status-firefox135 to wontfix.

For more information, please visit BugBot documentation.

Flags: needinfo?(tschuster)

Tom Schuster

Assignee

Comment 6

•

1 year ago

I don't think we need to uplift this.

Flags: needinfo?(tschuster)

Tom Schuster

Assignee

Updated

•

1 year ago

status-firefox135: affected → wontfix

Donal Meehan [:dmeehan]

Updated

•

1 year ago

status-firefox-esr128: affected → wontfix

tracking-firefox135: + → ---

tracking-firefox-esr128: 135+ → ---

Andrei Vaida [:avaida]

Updated

•

1 year ago

QA Whiteboard: [post-critsmash-triage]

Flags: qe-verify-

Daniel Veditz [:dveditz]

Updated

•

1 year ago

Whiteboard: [adv-main136-]

Daniel Veditz [:dveditz]

Updated

•

10 months ago

Group: core-security-release

You need to log in before you can comment on or make changes to this bug.

Bugzilla

The CSP of about:privatebrowsing is too permissive

Categories

(Firefox :: Private Browsing, defect)

Tracking

()

People

(Reporter: tschuster, Assigned: tschuster)

References

Details

(Keywords: sec-want, Whiteboard: [adv-main136-])

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Comment 1

Comment 2

Updated

Updated

Comment 3

Comment 4

Updated

Comment 5

Comment 6

Updated

Updated

Updated

Updated

Updated

Attachment

General

Description

File Name

Content Type