Open
Bug 1197283
(userContextId_Audit)
Opened 9 years ago
Updated 2 years ago
[META] Audit the Desktop-only callsites for situations where we need to consider userContextId
Categories
(Core :: Security, defect, P3)
Core
Security
Tracking
()
NEW
| Tracking | Status | |
|---|---|---|
| firefox57 | --- | affected |
People
(Reporter: bholley, Unassigned)
References
(Depends on 2 open bugs, Blocks 1 open bug)
Details
(Keywords: meta, Whiteboard: [OA])
Over in bug 1165272, Yoshi is converting a bunch of uses of getNoAppCodebasePrincipal to createCodebasePrincipal. Most of those are for tests, but some of them are for Desktop-only features (like about:feeds) that didn't need to be fixed up for appId, but may need to be made OriginAttribute-aware when we start using OriginAttributes on Desktop.
I'm getting this bug on file to dump the ones I see when reviewing that patch.
|
Reporter | |
Comment 1•9 years ago
|
||
FeedConverter.js
aboutPermissions.js
permissions.js
PdfStreamConverter.jsm
SpecialStorage.jsm
Feeds.jsm
Weave.js
nsPermission.cpp
nsPermissionManager.cpp
ApplicationReputation.cpp
BookmarkJSONUtils.jsm
nsLiveMarkService.js
SocialService.jsm
NewTabUtils.jsm
PermissionUtils.jsm
NativeApp.jsm
nsOfflineCacheUpdateService.cpp
|
||
Comment 2•9 years ago
|
||
We may also have to audit callers of getSimpleCodeBasePrincipal as well, since they essentially ignore originAttributes:
http://mxr.mozilla.org/mozilla-central/source/caps/nsScriptSecurityManager.cpp#1007
http://mxr.mozilla.org/mozilla-central/source/caps/nsIScriptSecurityManager.idl#146
http://mxr.mozilla.org/mozilla-central/search?string=getsimplecodebaseprincipal
|
||
Updated•9 years ago
|
Assignee: nobody → huseby
|
|
||
Updated•9 years ago
|
Status: NEW → ASSIGNED
|
|
||
Updated•9 years ago
|
Depends on: createCodebasePrincipal
|
|
||
Comment 3•9 years ago
|
||
I dumped all of my notes and progress on the createCodebasePrincipal call sites in Bug 1218479.
|
|
||
Comment 4•9 years ago
|
||
I'm just dumping notes here so I can double check these things later. First note:
Also need to audit nsDocShell::CreatePrincipalFromReferrer callers since it creates a principal from the docshell's origin attributes.
|
|
||
Comment 5•9 years ago
|
||
I'm changing this to be the top-level meta bug for going through all of the places we need to fix up user context consideration.
So far the list of functions we care about are:
createCodebasePrincipal
createCodebasePrincipalFromOrigin
createPrincipalFromReferrer
getSimpleCodebasePrincipal
There may be others. Basically, anywhere we create a principal or get one from the URI and origin attributes, needs to be looked at. I'm creating 4 meta bugs for fixing the above listed functions we care about and under those, I'm creating bugs for the individual call sites and patches.
Summary: Audit the Desktop-only callsites of createCodebasePrincipal for situations where we need to consider userContextId → [META] Audit the Desktop-only callsites for situations where we need to consider userContextId
|
|
||
Updated•9 years ago
|
Depends on: createCodebasePrincipalFromOrigin
|
|
||
Updated•9 years ago
|
Depends on: createPrincipalFromReferrer
|
|
||
Updated•9 years ago
|
Depends on: getSimpleCodebasePrincipal
|
|
||
Updated•9 years ago
|
Alias: userContextId_Audit
|
|
||
Updated•9 years ago
|
Depends on: containers_testing
Depends on: 1259341
|
|
||
Updated•9 years ago
|
Depends on: origin_attribute_assertions
|
|
||
Updated•9 years ago
|
Whiteboard: [OA]
|
|
||
Updated•9 years ago
|
Assignee: huseby → nobody
Status: ASSIGNED → NEW
|
|
||
Comment 6•7 years ago
|
||
Marking as P3 since this is a meta bug - https://wiki.mozilla.org/Bugmasters/Process/Triage#This_doesn.27t_fit_into_a_P1.2C_P2.2C_P3.2C_or_P5_framework
status-firefox57:
--- → wontfix
Priority: -- → P3
|
|
||
Updated•7 years ago
|
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•