Open Bug 1973458 Opened 1 month ago Updated 1 month ago

Pref cleanup: Enforce `security_disallow_privilegedabout_remote_script_loads` by default and remove pref

Categories

(Core :: DOM: Security, enhancement, P3)

Product:
Core
Component:
DOM: Security
Type:
enhancement

Tracking

()

People

(Reporter: freddy, Assigned: freddy)

References

(Blocks 1 open bug)

Details

Attachments

(1 file, 1 obsolete file)

Bug 1973458 - Replace security_disallow_privilegedabout_remote_script_loads with finer graind check r?tschuster
48 bytes, text/x-phabricator-request
Details | Review
No description provided.
Attachment #9496255 - Attachment is obsolete: true

Looks like this pref was used incorrectly, e.g.,

nsresult nsContentSecurityManager::CheckAllowLoadInPrivilegedAboutContext(
    nsIChannel* aChannel) {
  // bail out if check is disabled
  if (StaticPrefs::security_disallow_privilegedabout_remote_script_loads()) {
    return NS_OK;
  }
// ... actual permission checks

The pref currently being true results in the whole block of checks skipped with an early return. The code line should have been if (!StaticPrefs... instead.

I am running into some test failures when the pref is removed, see https://treeherder.mozilla.org/jobs?repo=try&revision=a3c77d8d28001272d848b59d9816c233e4eefd15

Will keep poking at this, but not sure if that's something I can commit to finish.

Attachment #9496254 - Attachment description: WIP: Bug 1973458 - remove security_disallow_privilegedabout_remote_script_loads r?tschuster → Bug 1973458 - remove security_disallow_privilegedabout_remote_script_loads r?tschuster
Attachment #9496254 - Attachment description: Bug 1973458 - remove security_disallow_privilegedabout_remote_script_loads r?tschuster → Bug 1973458 - Replace security_disallow_privilegedabout_remote_script_loads with finer graind check r?tschuster
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: