Closed
Bug 557698
Opened 15 years ago
Closed 15 years ago
Ensure discovery pane never loads anything insecure or from a different domain
Categories
(Toolkit :: Add-ons Manager, defect)
Toolkit
Add-ons Manager
Tracking
()
VERIFIED
FIXED
mozilla2.0b9
| Tracking | Status | |
|---|---|---|
| blocking2.0 | --- | final+ |
People
(Reporter: Unfocused, Assigned: mossop)
References
Details
(Whiteboard: [rewrite][sg:want])
Need to ensure discovery pane never loads anything insecure or from a different domain. The discovery page on AMO should generally handle the obvious cases by targetting a new tab (_blank), but we shouldn't rely on this.
|
Reporter | |
Updated•15 years ago
|
|
Assignee | |
Updated•15 years ago
|
blocking2.0: --- → final+
|
|
Assignee | |
Updated•15 years ago
|
Assignee: nobody → bmcbride
|
|
Assignee | |
Updated•15 years ago
|
Whiteboard: [rewrite] → [rewrite][good first bug]
|
||
Comment 1•15 years ago
|
||
This doesn't include resources on the page, right? We may need to pull in assets from other domains like mozilla.com or our CDN.
|
|
Reporter | |
Comment 2•15 years ago
|
||
(In reply to comment #1)
> This doesn't include resources on the page, right?
Correct.
|
||
Comment 3•15 years ago
|
||
This bug isn't really specific, but it sounds like you could use CSP for this. I think our current settings fix this bug: http://github.com/jbalogh/zamboni/blob/master//settings.py#L570
CSP is currently enabled report-only on preview.amo, but is expected to go live sometime in the (near-ish) future.
|
|
Assignee | |
Comment 4•15 years ago
|
||
(In reply to comment #3)
> This bug isn't really specific, but it sounds like you could use CSP for this.
> I think our current settings fix this bug:
> http://github.com/jbalogh/zamboni/blob/master//settings.py#L570
I don't think CSP applies here though I could be misunderstanding the technology. What we are concerned with is ensuring that the top level page in the content browser here never leaves services.addons.mozilla.org and is always securely delivered.
|
|
||
Comment 5•15 years ago
|
||
And we want to show a pretty error message rather than a scary security warning, as wifi login pages and other stuff will likely try to sneak in here.
|
|
Assignee | |
Comment 6•15 years ago
|
||
Note that the client only cares about the top-level document (as far as the domain checking goes, for security everything on the page must be secure), it is up to you guys to ensure you never include anything dangerous from other domains, but I presume that is what CSP will help you with.
|
|
Reporter | |
Comment 7•15 years ago
|
||
(In reply to comment #5)
> And we want to show a pretty error message rather than a scary security
> warning, as wifi login pages and other stuff will likely try to sneak in here.
I actually thought that any page on a different domain would just automatically open in a new tab.
|
|
Assignee | |
Comment 8•15 years ago
|
||
(In reply to comment #7)
> (In reply to comment #5)
> > And we want to show a pretty error message rather than a scary security
> > warning, as wifi login pages and other stuff will likely try to sneak in here.
>
> I actually thought that any page on a different domain would just automatically
> open in a new tab.
That is a possibility but it feels a little strange that you could click on Get Add-ons and suddenly it opens a new tab with your wifi login page.
|
|
Reporter | |
Comment 9•15 years ago
|
||
(In reply to comment #8)
> That is a possibility but it feels a little strange that you could click on Get
> Add-ons and suddenly it opens a new tab with your wifi login page.
Maybe - though it kinda feels like a normal popup to me. The alternative is either not showing the wifi login page at all (which would be more confusing, IMO), or showing untrusted content in an area that is assumed to always show trusted content (which would be a Bad Thing).
|
||
Comment 10•15 years ago
|
||
There is some complication with this since some routers just hand back their login page to any url request, as opposed to redirecting to their url. I don't know if this is something that is detectable reliably by firefox...
|
|
Assignee | |
Comment 11•15 years ago
|
||
(In reply to comment #10)
> There is some complication with this since some routers just hand back their
> login page to any url request, as opposed to redirecting to their url. I don't
> know if this is something that is detectable reliably by firefox...
It shouldn't be able to fake the SSL cert though
|
|
Assignee | |
Comment 12•15 years ago
|
||
(In reply to comment #9)
> (In reply to comment #8)
> > That is a possibility but it feels a little strange that you could click on Get
> > Add-ons and suddenly it opens a new tab with your wifi login page.
>
> Maybe - though it kinda feels like a normal popup to me. The alternative is
> either not showing the wifi login page at all (which would be more confusing,
> IMO), or showing untrusted content in an area that is assumed to always show
> trusted content (which would be a Bad Thing).
Right now there is a bug in catching this case where we still end up loading it (bug 602256), until that is fixed I don't think it makes sense to implement opening the new window for these different sites.
Whiteboard: [rewrite][good first bug] → [rewrite][needs 601143]
|
||
Comment 13•15 years ago
|
||
Is there a bug somewhere dealing with the fact that Larry (identity-box) isn't very assuring about the integrity of about:addons? I just get an unencrypted connection popup/page info. I don't know what the plans are here, since the navigation bar has been left out of every mockup I've seen.
|
|
||
Comment 14•15 years ago
|
||
Actually, it looks like the behavior surrounding identity-box with about:addons is sporadic. Sometimes when it loads, there's a blue glow (but unclickable and "...does not supply..." tooltiptext), and sometimes there isn't. Sometimes it will start off with the glow, and then it disappears after switching back from other tabs.
Known bug?
|
|
Assignee | |
Comment 15•15 years ago
|
||
(In reply to comment #13)
> Is there a bug somewhere dealing with the fact that Larry (identity-box) isn't
> very assuring about the integrity of about:addons? I just get an unencrypted
> connection popup/page info. I don't know what the plans are here, since the
> navigation bar has been left out of every mockup I've seen.
bug 590206
|
||
Updated•15 years ago
|
Whiteboard: [rewrite][needs 601143] → [rewrite][needs 601143][sg:want]
|
||
Comment 16•15 years ago
|
||
(In reply to comment #9)
> (In reply to comment #8)
> > That is a possibility but it feels a little strange that you could click on Get
> > Add-ons and suddenly it opens a new tab with your wifi login page.
>
> Maybe - though it kinda feels like a normal popup to me. The alternative is
> either not showing the wifi login page at all (which would be more confusing,
> IMO), or showing untrusted content in an area that is assumed to always show
> trusted content (which would be a Bad Thing).
Let's have a standard pane which displays when there's either no or an untrusted internet connection. Maybe it could be based on cached content from the last time, or even just a simple explanation of what add-ons are. We don't need to tell people what isn't displaying.
|
|
Assignee | |
Comment 17•15 years ago
|
||
Fixed by bug 601143
Status: NEW → RESOLVED
Closed: 15 years ago
Flags: in-testsuite+
Flags: in-litmus-
Resolution: --- → FIXED
Whiteboard: [rewrite][needs 601143][sg:want] → [rewrite][sg:want]
Target Milestone: --- → mozilla2.0b9
|
||
Comment 18•14 years ago
|
||
Finally was able to verify this fix with the entry page of my hotels WIFI. We do not serve any content which doesn't belong to AMO. Marking as verified fixed based on my tests with Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:5.0a2) Gecko/20110413 Firefox/5.0a2
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•