Closed Bug 1421647 Opened 7 years ago Closed 7 years ago

about:privatebrowsing should not have system principal / chrome privileges

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Version:
57 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED
Tracking Flags:
Tracking Status
firefox-esr52 --- wontfix
firefox58 --- wontfix
firefox59 --- wontfix
firefox60 --- verified
firefox61 --- verified

People

(Reporter: Gijs, Assigned: ckerschb)

References

Details

(Keywords: sec-audit, sec-moderate, Whiteboard: [fixed by bug 1430751][adv-main60-])

See summary. STR: 1. open a private browsing window 2. open web console 3. evaluate document.nodePrincipal Expected: undefined (nodePrincipal is only exposed to chrome) Actual: system principal This is not good. No immediate exploit or anything, just not good. Related: we should audit all our about: pages for this. Best to just enumerate everything registered to Components.classes with an about module name (see code in aboutabout.js for how to do this).
I remember vaguely that there was a tracking bug for de-privileging content pages. Maybe freddyb knows more about this?
Blocks: 1420788
This was fixed by bug 1430751.
Assignee: nobody → ckerschb
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Whiteboard: [fixed by bug 1430751]
AFAICT, this affects ESR52 as well (STR work there too). Given that this is sec-moderate, should we just wontfix there?
status-firefox58: --- → wontfix
status-firefox59: --- → wontfix
status-firefox60: --- → fixed
status-firefox-esr52: --- → affected
Flags: needinfo?(gijskruitbosch+bugs)
(In reply to Ryan VanderMeulen [:RyanVM] from comment #3) > AFAICT, this affects ESR52 as well (STR work there too). Given that this is > sec-moderate, should we just wontfix there? Yes.
status-firefox-esr52: affectedwontfix
Flags: needinfo?(gijskruitbosch+bugs)
Group: firefox-core-security → core-security-release
Whiteboard: [fixed by bug 1430751] → [fixed by bug 1430751][adv-main60-]
I have managed to reproduce this issue using Firefox 59.0a1 (BuildId:20171129220149). This issue is verified fixed using Firefox 61.0a1 (BuildId:20180503220110) and Firefox 60.0 (BuildId:20180430165945) on Windows 10 64bit , macOS 10.13.3 and Ubuntu 16.04 64bit.
Status: RESOLVED → VERIFIED
status-firefox60: fixedverified
status-firefox61: --- → verified
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.