Do not set CSP on a document whose principal aliases another other document

RESOLVED INVALID

Status

()

Core
DOM: Security
RESOLVED INVALID
5 years ago
2 years ago

People

(Reporter: Deian Stefan, Assigned: Deian Stefan)

Tracking

Trunk
x86_64
Linux
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [domsecurity-backlog])

(Assignee)

Description

5 years ago
Following up on bug 943460 and discussion with bz:
We should not be setting CSP on a document whose principal aliases some other document. Rather than special-casing apps (as in bug 943460), we may need a new API to indicate on a channel that (not only does it have an onwer, but) the principal is shared with some other document and use this avoid setting CSP.
Depends on: 965413
Paul, what do you think? Can we mark this one as INVALID?
Component: Security → DOM: Security
Flags: needinfo?(ptheriault)
Whiteboard: [domsecurity-backlog]
Yes I think so.
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Flags: needinfo?(ptheriault)
Resolution: --- → INVALID
Actually, Christoph/Henry, does bug 1251152 reintroduce a need for this bug. My guess is 'no' since 1251152 doesn't affect nsDocument.cpp, but I'm not sure.
Flags: needinfo?(mozilla)
Flags: needinfo?(hchang)
(In reply to Paul Theriault [:pauljt] from comment #3)
> Actually, Christoph/Henry, does bug 1251152 reintroduce a need for this bug.
> My guess is 'no' since 1251152 doesn't affect nsDocument.cpp, but I'm not
> sure.

Nope, I am fairly certain this is not the case. about:newtab can be forwarded to an external URL. We would then load that URL like any other website within the browser but enforce additonal security checks on such loads which are initiated by setting additional security flags within the AboutProtocolHandler.
Flags: needinfo?(mozilla)

Updated

2 years ago
Flags: needinfo?(hchang)
You need to log in before you can comment on or make changes to this bug.