Closed Bug 2007588 Opened 3 months ago Closed 2 months ago

Let JS Load Restrictions Ride the trains

Categories

(Firefox :: Security, enhancement)

Product:
Firefox
Component:
Security
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
149 Branch
Tracking Flags:
Tracking Status
relnote-firefox --- 149+
firefox149 --- fixed

People

(Reporter: tjr, Assigned: tjr)

References

Details

Attachments

(1 file)

Bug 2007588: Enforce JavaScript Load Restrictions and let it ride the trains r?freddyb
48 bytes, text/x-phabricator-request
Details | Review

In Bug 1979341 we added telemetry that allowed people to optionally report the url of the unexpected script load. This showed us that we were firing event telemetry when a PAC script used eval or similar, leading us to allow that behavior in Bug 1994841 which landed in 146.

SELECT 
    event,
       app_version_major,
       --client_info.app_build,
       --date(submission_timestamp) as date_submitted,
       client_info.app_channel,
       TO_JSON_STRING(event_extra.value),
       TO_JSON_STRING(event_extra.blocked),
       TO_JSON_STRING(event_extra.fileinfo)
       , count(*) AS count_reports,
       count(distinct client_id) as count_distinct_clients
FROM firefox_desktop.events_stream
WHERE event_category = 'security'
  AND submission_timestamp >= '2025-08-1'
    and app_version_major > 142
    and client_info.app_build > '20250813000000'
    AND event = 'security.javascript_load_parent_process'

GROUP BY event,
         app_version_major,
         --date(submission_timestamp),
         client_info.app_channel,
         TO_JSON_STRING(event_extra.value),
         TO_JSON_STRING(event_extra.blocked),
         TO_JSON_STRING(event_extra.fileinfo)

Shows us that in 146 there are no sources of 'http' or 'https' reports; whereas in 145 there were 2000 events from 50 users and similar largeish numbers in 144. So I think we solved it.

Now there are still telemetry events coming in, but they are coming from one or two distinct users at a time, which indicates these are specific customized Firefox installs doing something weird. It's not clear why our existing heuristics don't exclude them from the protection like we intend, but we have moved heaven and earth over the past 6 years to address the corner cases, and it doesn't make sense to hold back protections for the entire Firefox userbase when we believe there is no longer any supported scenario this can occur.

These folks need to set security.allow_parent_unrestricted_js_loads

Pushed by tschuster@mozilla.com: https://github.com/mozilla-firefox/firefox/commit/10cbbf5d1048 https://hg.mozilla.org/integration/autoland/rev/da854c9ed564 Enforce JavaScript Load Restrictions and let it ride the trains r=tschuster

https://hg.mozilla.org/mozilla-central/rev/da854c9ed564

Status: NEW → RESOLVED
Closed: 2 months ago
status-firefox149: --- → fixed
Resolution: --- → FIXED

Is this something we may want to add to release notes for 149?

relnote-firefox: --- → ?
Flags: needinfo?(tom)

Yes, I think it is worth putting a release note in.

Something like "Firefox xxx tightens the security requirements for be Javascript files that can be loaded in the parent process, to provide defense in depth against security threats."

Flags: needinfo?(tom)

Note added to 149 nightly notes in the Changed section with this wording:

Firefox 149 tightens the security requirements for the JavaScript files that can be loaded in the parent process, to provide defense in depth against security threats.

I am keeping the relnote-firefox? flag set until we include this note in out final 149 release notes, thanks.

QA Whiteboard: [qa-triage-done-c150/b149]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: