Open Bug 2008559 Opened 6 months ago Updated 2 months ago

[meta] Type checking for JS IPC messages

Categories

(Core :: DOM: Content Processes, task)

task

Tracking

()

People

(Reporter: mccr8, Unassigned)

References

(Depends on 6 open bugs)

Details

(Keywords: meta)

There are two forms of JS IPC, JS actors and message manager. With both of these, you can send whatever JS value you want as the data portion of your message. The receivers in the parent process usually aren't trying to deal with malicious messages, and so due to some odd corner cases of JavaScript, this can sometimes be leveraged to carry out a sandbox escape. This was used in two separate, but related, Pwn2Own exploits.

In practice, most of these messages are quite simple, little more than JSON. If we require developers declare what sort of JS value they are expecting, using a TypeScript-like type language, then we can dynamically type check the messages, making these sorts of exploits much harder to create.

Depends on: 2008560
You need to log in before you can comment on or make changes to this bug.