Closed Bug 947831 Opened 11 years ago Closed 8 years ago

Do not set CSP on a document whose principal aliases another other document

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: deian, Assigned: deian)

References

Details

(Whiteboard: [domsecurity-backlog]) 

Following up on bug 943460 and discussion with bz:
We should not be setting CSP on a document whose principal aliases some other document. Rather than special-casing apps (as in bug 943460), we may need a new API to indicate on a channel that (not only does it have an onwer, but) the principal is shared with some other document and use this avoid setting CSP.
Depends on: 965413
Paul, what do you think? Can we mark this one as INVALID?
Component: Security → DOM: Security
Flags: needinfo?(ptheriault)
Whiteboard: [domsecurity-backlog]
Yes I think so.
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(ptheriault)
Resolution: --- → INVALID
Actually, Christoph/Henry, does bug 1251152 reintroduce a need for this bug. My guess is 'no' since 1251152 doesn't affect nsDocument.cpp, but I'm not sure.
Flags: needinfo?(mozilla)
Flags: needinfo?(hchang)
(In reply to Paul Theriault [:pauljt] from comment #3)
> Actually, Christoph/Henry, does bug 1251152 reintroduce a need for this bug.
> My guess is 'no' since 1251152 doesn't affect nsDocument.cpp, but I'm not
> sure.

Nope, I am fairly certain this is not the case. about:newtab can be forwarded to an external URL. We would then load that URL like any other website within the browser but enforce additonal security checks on such loads which are initiated by setting additional security flags within the AboutProtocolHandler.
Flags: needinfo?(mozilla)
Flags: needinfo?(hchang)
You need to log in before you can comment on or make changes to this bug.