Open Bug 980333 Opened 10 years ago Updated 2 years ago

Ensure devtools/styleeditor/styleeditor.xul is free of inline script

Categories

(DevTools :: Style Editor, defect, P2)

Product:
DevTools
Component:
Style Editor
Platform:
x86_64
Linux
Type:
defect

Tracking

(Not tracked)

People

(Reporter: mgoodwin, Unassigned)

References

(Blocks 1 open bug)

Details

There's some script values attributes (oncommand and onpopupshowing) and some inline script.
Why do we need to get rid of them?
Flags: needinfo?(mgoodwin)
We've had a few cases where people have managed to inject stuff into the tools. A made up example which is somewhat similar to a real attack is a specially crafted font name "Arial <script>alert("XSS!")</script>".
So we'd like to apply CSP saying 'no scripts from the page', which means we need to get rid of all the scripts on the page.
Flags: needinfo?(mgoodwin)
(In reply to Heather Arthur [:harth] from comment #1)
> Why do we need to get rid of them?

We'd like to apply CSP (CSP almost completely eliminates XSS; we occasionally have issues with this in bits of the browser UI where, for obvious reasons, it's a really bad thing).

Platform work is underway to make this possible (e.g. applying CSP to documents with a system principal, applying CSP to XUL documents) but front end work is needed to ensure nothing breaks when a strict-enough-to-be-useful* policy is applied.

*strict enough to be useful in this context means "would stop an attacker injecting scripts or styles" (styles because -moz-binding)
Inspector bug triage (filter on CLIMBING SHOES).
Priority: -- → P2
Product: Firefox → DevTools
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.