Closed Bug 1233906 Opened 9 years ago Closed 9 years ago

application reputation needs use the right user context origin attributes

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: huseby, Assigned: baku)

References

Details

(Whiteboard: [userContextId][OA])

Attachments

(3 obsolete files)

In the file toolkit/components/downloads/ApplicationReputation.cpp there is a call to createCodebasePrincipal that needs to have the default context origin attributes because we don't want user context isolation. > toolkit/components/downloads/ApplicationReputation.cpp > line 299 > nsCOMPtr<nsIPrincipal> principal = > BasePrincipal::CreateCodebasePrincipal(uri, attrs);
Attached patch patch (obsolete) (deleted) — Splinter Review
Assignee: huseby → amarchesini
Attachment #8703750 - Flags: review?(huseby)
Comment on attachment 8703750 [details] [diff] [review] patch Review of attachment 8703750 [details] [diff] [review]: ----------------------------------------------------------------- GlobalContextOriginAttributes -> DefaultContextOriginAttributes
Attachment #8703750 - Flags: review?(huseby) → review-
Component: Security → DOM
Product: Firefox → Core
Attached patch bug_1233906.patch (obsolete) (deleted) — Splinter Review
Attachment #8703750 - Attachment is obsolete: true
Attachment #8704535 - Flags: review?(huseby)
Attached patch bug_1233906.patch (obsolete) (deleted) — Splinter Review
Attachment #8704535 - Attachment is obsolete: true
Attachment #8704535 - Flags: review?(huseby)
Attachment #8704547 - Flags: review?(huseby)
Depends on: 1229222
Attachment #8704547 - Flags: review?(huseby) → review+
Whiteboard: [userContextId]
Attachment #8704547 - Attachment is obsolete: true
Francois, Are you familiar with the Application Reputation Service? In the PendingDBLookup class, it creates a principal that it passes to the nsIUrlClassifierDBService when checking URI's for downloaded resources. I'm not sure what the nsIUrlClassifierDBService does exactly so I'm not sure if we want to use a principal with default origin attributes or if we want to inherit the origin attributes from the document that loaded the resource. If we want to inherit the origin attributes, I think we'll have to add a the origin attributes to the nsIApplicationReputationQuery class so that we have the origin attributes when creating the principal in PendingDBLookup. Can you help me understand this better?
Flags: needinfo?(francois)
Flags: needinfo?(francois)
Application reputation should probably be usercontext free. It doesn't matter the context in which we detect a malicious url. A malicious url is malicious and should be blocked regardless of context. Not sure why francois removed his needinfo. Perhaps him and Dave talked offline.
(In reply to Tanvi Vyas [:tanvi] from comment #6) > Not sure why francois removed his needinfo. Perhaps him and Dave talked > offline. Yes, Dave and I had a chat about it. The conclusion was that we're going to leave the code as-is until the permission manager becomes origin-attribute aware. At that point, it might make sense to treat the "ignore this warning" permission (i.e. temporary user whitelist) as specific to the usercontext in which it occurred.
I'm resolving this as won't fixed because permissions aren't isolated at the moment. When the time comes, we'll fix this.
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → WONTFIX
Whiteboard: [userContextId] → [userContextId][OA]
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: