Closed
Bug 771942
Opened 12 years ago
Closed 12 years ago
[FIX] DataDocumentContentPolicy should apply to chrome documents
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
People
(Reporter: smaug, Assigned: smaug)
References
Details
(Keywords: sec-high, Whiteboard: [adv-main20+][adv-esr1705+])
Attachments
(2 files, 1 obsolete file)
7.21 KB,
patch
|
bzbarsky
:
review+
|
Details | Diff | Splinter Review |
7.51 KB,
patch
|
bajaj
:
approval-mozilla-aurora+
lsblakk
:
approval-mozilla-esr17+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
It is very strange that data documents may load stuff if they are chrome documents.
This lead to bug 770684 (though, I'll fix that bug in some other way).
As far as I see, we have similar problems as bug 770684 if someone does
something like document.implementation.createHTMLDocument("").body.innerHTML = "stuff".
If that stuff contains images or scripts, they are loaded, I think.
Assignee | ||
Comment 1•12 years ago
|
||
Another option is to handle loads coming from data documents in some other way.
Assignee | ||
Comment 2•12 years ago
|
||
Should we (1) special case DataDocumentContentPolicy, so that it gets called even for chrome docs,
or (2) do data document checks before any normal content policy checks and remove DataDocumentContentPolicy
or (3) do all content policy checks for chrome documents?
(3) would be the best from consistency point of view, but not from performance point of view.
I think (2) should be ok. In that case ContentPolicy would really mean *Content*Policy.
(2) would mean that CHECK_PRINCIPAL in nsContentPolicyUtils should do the data document checks.
I prefer (2).
Comment 3•12 years ago
|
||
(2) makes sense to me.
I don't think we can do (3) since I believe we removed those checks for performance reasons. There's also the risk that it'd break existing addons not expecting chrome URLs to be passed in.
2 sounds good to me since content policies is an API that should be completely rewritten anyway.
Comment 5•12 years ago
|
||
#2 sounds fine to me.
Comment 6•12 years ago
|
||
I'm assuming at least some apps and addons are going to do this and might not correctly sanitize user-supplied content.
Keywords: sec-high
Comment 7•12 years ago
|
||
Looks like we've got two votes for approach #2, assigning back to Olli for next steps.
Assignee: nobody → bugs
Assignee | ||
Comment 8•12 years ago
|
||
...still on my todo list.
Assignee | ||
Comment 9•12 years ago
|
||
Adds one QI to all chrome loads, and if the load is coming from
data/image/resource doc, also getService call.
Assignee | ||
Comment 10•12 years ago
|
||
So I think we could do this and then bug 820029 as a followup.
(Bug 820029 would let us use contentutils etc.)
But feel free to disagree :)
do_GetService call isn't exactly nice one, but at least it happens only on
data/resource/docAsImage documents.
Attachment #690422 -
Attachment is obsolete: true
Attachment #690476 -
Flags: review?(bzbarsky)
Comment 11•12 years ago
|
||
Comment on attachment 690476 [details] [diff] [review]
tiny bit simpler
I think I can live with this, with a few nits:
1) Document around nsDataDocumentContentPolicy::ShouldLoad that the "still valid" bit includes the fact that the caller doesn't actually pass all the arguments and such.
2) Do we really need to null-check OwnerDoc()? If we do, add a comment as to why.
r=me with that
Attachment #690476 -
Flags: review?(bzbarsky) → review+
Assignee | ||
Comment 12•12 years ago
|
||
We don't need to null check OwnerDoc(). It was just handy to write the code that way.
But I can change it.
Comment 13•12 years ago
|
||
Nah, it's fine as it is. Just comment that it makes the code simpler.
Assignee | ||
Comment 14•12 years ago
|
||
[Security approval request comment]
How easily can the security issue be deduced from the patch?
It is not so easy to see the security problem, but it is easy to see the behavior the patch
is changing.
Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? No. The commit message will be about preventing loads from
chrome data documents, and IMO that as such doesn't _sound_ like a security problem.
Which older supported branches are affected by this flaw?
All (Everything since bug 388597)
How likely is this patch to cause regressions; how much testing does it need?
Addons may break if they expect stuff to be loaded even on data documents.
So some amount testing is needed.
Attachment #690491 -
Flags: sec-approval?
Assignee | ||
Updated•12 years ago
|
Summary: DataDocumentContentPolicy should apply to chrome documents → [FIX] DataDocumentContentPolicy should apply to chrome documents
Comment 15•12 years ago
|
||
Adding Alex so we can discuss when we want to take this since there is some risk.
Comment 16•12 years ago
|
||
(In reply to Al Billings [:abillings] from comment #15)
> Adding Alex so we can discuss when we want to take this since there is some
> risk.
Given the fact that this is internally reported, a longstanding bug, it doesn't have a low risk evaluation, and the holidays are coming up (low feedback volume), I'd prefer that this landed at the beginning of the next cycle (1/7/2013).
Comment 17•12 years ago
|
||
Comment on attachment 690491 [details] [diff] [review]
v3
sec-approval+ for landing on 1/7/2013 or later.
Attachment #690491 -
Flags: sec-approval? → sec-approval+
Assignee | ||
Comment 18•12 years ago
|
||
So, ok to land now?
Comment 19•12 years ago
|
||
(In reply to Olli Pettay [:smaug] from comment #18)
> So, ok to land now?
yep!
Assignee | ||
Comment 20•12 years ago
|
||
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Comment 21•12 years ago
|
||
Given the higher than normal risk profile but low visibility, let's compromise and uplift to Aurora 20 and then to the corresponding ESR.
status-firefox19:
--- → wontfix
status-firefox20:
--- → affected
status-firefox21:
--- → affected
status-firefox-esr17:
--- → affected
tracking-firefox20:
--- → +
tracking-firefox21:
--- → +
tracking-firefox-esr17:
--- → 20+
Assignee | ||
Comment 22•12 years ago
|
||
Comment on attachment 690491 [details] [diff] [review]
v3
[Approval Request Comment]
Bug caused by (feature/regressing bug #): bug 388597
User impact if declined: chrome may accidentally load stuff from network it wasn't going to
Testing completed (on m-c, etc.): landed two days ago
Risk to taking this patch (and alternatives if risky):
Addons may break if they expect stuff to be loaded even on data documents.
So some amount testing is needed.
String or UUID changes made by this patch:
NA
Attachment #690491 -
Flags: approval-mozilla-aurora?
Updated•12 years ago
|
Attachment #690491 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Assignee | ||
Comment 23•12 years ago
|
||
Comment 24•12 years ago
|
||
Do we think that this could impact B2G? It's unclear what we're discussing here w/r/t chrome.
Assignee | ||
Comment 25•12 years ago
|
||
In theory b2g chrome code could accidentally load something from the network. But I'm not sure
how much there is chrome code.
Updated•12 years ago
|
status-b2g18:
--- → wontfix
Updated•12 years ago
|
Target Milestone: --- → mozilla21
Assignee | ||
Comment 26•12 years ago
|
||
Comment on attachment 690491 [details] [diff] [review]
v3
[Approval Request Comment]
User impact if declined: chrome may accidentally load stuff from network it wasn't going to
Fix Landed on Version: FF21, FF20
Risk to taking this patch (and alternatives if risky): may affect to some addons,
but there are really no alternatives
String or UUID changes made by this patch: NA
Landed to m-c 2013-01-08
and Aurora 2013-01-12
Attachment #690491 -
Flags: approval-mozilla-esr17?
Comment 27•12 years ago
|
||
Comment on attachment 690491 [details] [diff] [review]
v3
Supporting addons on ESR branch is not the priority, so if there is fallout from taking this we'll have to manage that in another fashion rather than leave this unfixed on ESR.
Attachment #690491 -
Flags: approval-mozilla-esr17? → approval-mozilla-esr17+
Assignee | ||
Comment 28•12 years ago
|
||
Updated•12 years ago
|
Whiteboard: [adv-main20+][adv-esr1705+]
Updated•10 years ago
|
Group: core-security
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•