Open
Bug 2008559
Opened 6 months ago
Updated 2 months ago
[meta] Type checking for JS IPC messages
Categories
(Core :: DOM: Content Processes, task)
Core
DOM: Content Processes
Tracking
()
NEW
People
(Reporter: mccr8, Unassigned)
References
(Depends on 6 open bugs)
Details
(Keywords: meta)
There are two forms of JS IPC, JS actors and message manager. With both of these, you can send whatever JS value you want as the data portion of your message. The receivers in the parent process usually aren't trying to deal with malicious messages, and so due to some odd corner cases of JavaScript, this can sometimes be leveraged to carry out a sandbox escape. This was used in two separate, but related, Pwn2Own exploits.
In practice, most of these messages are quite simple, little more than JSON. If we require developers declare what sort of JS value they are expecting, using a TypeScript-like type language, then we can dynamically type check the messages, making these sorts of exploits much harder to create.
You need to log in
before you can comment on or make changes to this bug.
Description
•