System XHR allows unrestricted access to file:// URIs

RESOLVED DUPLICATE of bug 825070

Status

()

Core
DOM
RESOLVED DUPLICATE of bug 825070
5 years ago
5 years ago

People

(Reporter: cjones, Unassigned)

Tracking

Trunk
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

In b2g, this enables some super-powered OS fingerprinting, but doesn't put any user data at risk if we got the OS security model right.

We would *absolutely* need to fix this before enabling this interface for desktop though.

This is kind of a scary hole though and I'm thinking we should fix this for b2g v1.

philikon/sicking how hard would it be to summarily deny file:// for system XHR in v1?  There's no use case.
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 825070
blocking-basecamp: ? → ---
You need to log in before you can comment on or make changes to this bug.