Closed Bug 1967731 Opened 10 months ago Closed 10 months ago

VideoDocument starts loading stylsheets/scripts before ClientSource (and thus the ClientInfo) is initialized.

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
141 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- wontfix
firefox-esr128 --- wontfix
firefox139 --- wontfix
firefox140 + fixed
firefox141 + fixed

People

(Reporter: tschuster, Assigned: tschuster)

References

Details

(Keywords: sec-other, Whiteboard: [adv-main140-])

Attachments

(2 files)

Bug 1967731 - Simplify loading in VideoDocument. r?smaug
48 bytes, text/x-phabricator-request
dmeehan
: approval-mozilla-beta+
Details | Review
Bug 1967731 - Test that TopLevelVideoDocument.js loads even with a strict CSP. r?smaug
48 bytes, text/x-phabricator-request
Details | Review

When loading a VideoDocument, we will start loading stylesheets and scripts from VideoDocument::SetScriptGlobalObject. This function is called from nsGlobalWindowOuter::SetNewDocument. However SetNewDocument calls nsGlobalWindowInner::ExecutionReady (which calls EnsureClientSource()) only afterwards. That means we start loading before the document's ClientSource and thus ClientInfo are initialized!

Is there some other point afterwards that we could use to start loading?

Group: dom-core-security

The current setup seems to be there on purpose https://bugzilla.mozilla.org/show_bug.cgi?id=708431
But extensions shouldn't use nsIContentPolicy directly anymore.

I think we do have to worry about page's CSP blocking the script when using a data: or blob: iframe, which would inherit the CSP.
Edit: We can probably just special case these URLs in SubjectToCSP. I am looking.

Blocks: CVE-2025-6427
Assignee: nobody → tschuster
Keywords: sec-moderate

I don't think this warrants sec-moderate by itself. We were purposefully bypassing some security checks, because we don't want the load of these internal sheets and scripts to be blocked (by e.g. extensions or a page's CSP). I mostly filed this as a security bug, because this work blocks bug 1966927 and I didn't want to accidentally leak something.

Attachment #9490002 - Attachment description: WIP: Bug 1967731 - Simplify loading in VideoDocument → Bug 1967731 - Simplify loading in VideoDocument. r?smaug
Severity: -- → S3

Without the exemption added to SubjectToCSP the existing test test_videocontrols_standalone.html would fail with this CSP.

Summary: VideoDocument starts loading stylsheets/scripts before ClientSource (and this ClientInfo) is inialized. → VideoDocument starts loading stylsheets/scripts before ClientSource (and this ClientInfo) is initialized.
Summary: VideoDocument starts loading stylsheets/scripts before ClientSource (and this ClientInfo) is initialized. → VideoDocument starts loading stylsheets/scripts before ClientSource (and thus the ClientInfo) is initialized.
Pushed by tschuster@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/7082569b9321 Simplify loading in VideoDocument. r=smaug

https://hg.mozilla.org/mozilla-central/rev/7082569b9321

Group: dom-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 10 months ago
status-firefox141: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 141 Branch

(In reply to Tom Schuster (MoCo) from comment #3)

I don't think this warrants sec-moderate by itself. We were purposefully bypassing some security checks, because we don't want the load of these internal sheets and scripts to be blocked

Thanks. When I rated it I didn't realize it was only a couple of hardcoded internal resources. Those are going to be exempt from being blocked by CSP anyway so nothing is being bypassed.

status-firefox139: --- → wontfix
status-firefox140: --- → fix-optional
status-firefox-esr115: --- → wontfix
status-firefox-esr128: --- → wontfix
tracking-firefox141: --- → +
Keywords: sec-moderatesec-other

The patch landed in nightly and beta is affected.
:tschuster, is this bug important enough to require an uplift?

For more information, please visit BugBot documentation.

Flags: needinfo?(tschuster)

Comment on attachment 9490002 [details]
Bug 1967731 - Simplify loading in VideoDocument. r?smaug

Beta/Release Uplift Approval Request

  • User impact if declined/Reason for urgency:
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: Yes
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky):
  • String changes made/needed:
  • Is Android affected?: Yes
Flags: needinfo?(tschuster)
Attachment #9490002 - Flags: approval-mozilla-beta?

Required for bug 1966927.

Comment on attachment 9490002 [details]
Bug 1967731 - Simplify loading in VideoDocument. r?smaug

Approved for 140.0b7

Attachment #9490002 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
QA Whiteboard: [sec] [uplift] [qa-triage-done-c141/b140]
Flags: qe-verify-
Regressions: 1971809
No longer regressions: 1971809
Whiteboard: [adv-main140-]
Group: core-security-release
Duplicate of this bug: 1479516
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: