Closed
Bug 1432137
Opened 7 years ago
Closed 7 years ago
Add test to verify insecure redirects to data: URIs are blocked for script modules
Categories
(Core :: DOM: Security, enhancement, P3)
Core
DOM: Security
Tracking
()
RESOLVED
FIXED
mozilla60
Tracking | Status | |
---|---|---|
firefox60 | --- | fixed |
People
(Reporter: ckerschb, Assigned: ckerschb)
References
Details
(Whiteboard: [domsecurity-backlog1])
Attachments
(1 file, 1 obsolete file)
(deleted),
patch
|
jonco
:
review+
|
Details | Diff | Splinter Review |
This is a follow up Bug for from Bug 1428793 to add a mochitest that makes sure insecure redirects to data: URIs are blocked for script modules.
Assignee | ||
Updated•7 years ago
|
Assignee: nobody → ckerschb
Blocks: 1428793
Status: NEW → ASSIGNED
Priority: -- → P3
Whiteboard: [domsecurity-backlog1]
Assignee | ||
Comment 1•7 years ago
|
||
Ben, I saw you reviewed Bug 1330657. It seems I can't find the bug to enable script modules in release. Is there already one? If so, could you please mark this bug blocking the 'enable script modules in release' bug? Thanks!
Flags: needinfo?(bkelly)
Comment 2•7 years ago
|
||
Jon, can you make this bug block shipping modules? Thanks!
Flags: needinfo?(bkelly) → needinfo?(jcoppeard)
Assignee | ||
Comment 3•7 years ago
|
||
Hey Jon, within this Bug I am trying to add a test to make sure script modules that are insecurely redirected to a data: URI are blocked. It seems my test for script modules is not working properly. Hence, I already asked that question within Bug 1428793 [see 1] but didn't get a clear answer.
Anyway, in the attached testcase I always receive an .onerror() event for testModuleScriptRedirectToData even when the redirect is not blocked. I have to admit that I don't fully understand how script modules work hence I was wondering if you could provide some guidance. I started by explicitly flipping the pref dom.moduleScripts.enabled to true, but not matter what I try I always receive an .onerror() event. Any help is highly appreciated. Thanks!
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1428793#c18
Flags: needinfo?(jcoppeard)
Comment 4•7 years ago
|
||
(In reply to Christoph Kerschbaumer [:ckerschb] from comment #3)
One thing I noticed is that MIME type specified won't work: modules require a JS MIME type (e.g. application/javascript).
That's probably not the problem here though. I think the issue is modules are always fetched with CORS enabled and so will fail to load a data URI since that's not same-origin with the page loading it.
Flags: needinfo?(jcoppeard)
Assignee | ||
Comment 5•7 years ago
|
||
Jon, thanks for your help. In fact the 'regular' loading without any redirect requires a type of 'application/javascript', without that the load fails. For verification purposes I changed the *.sjs to include:
> if (query === "modulescript") {
> response.setHeader("Content-Type", "application/javascript", false);
> response.write("var a = 0;");
> return;
> }
which verifies that your assessment was correct.
Using a data: URI fails the load, but I think it makes sense to land that test anyway. Similar to what we do in the worker case above.
What do you think? Agreed?
Attachment #8944682 -
Attachment is obsolete: true
Attachment #8944689 -
Flags: review?(jcoppeard)
Comment 6•7 years ago
|
||
Comment on attachment 8944689 [details] [diff] [review]
bug_1432137_verify_script_module_redirects_data_blocked.patch
Review of attachment 8944689 [details] [diff] [review]:
-----------------------------------------------------------------
I agree we should add the test.
I think you should make the MIME type for the data URLs 'text/javascript' in all cases though.
Attachment #8944689 -
Flags: review?(jcoppeard) → review+
Assignee | ||
Comment 7•7 years ago
|
||
(In reply to Jon Coppeard (:jonco) from comment #6)
> I think you should make the MIME type for the data URLs 'text/javascript' in
> all cases though.
Agreed - thanks!
Pushed by mozilla@christophkerschbaumer.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/a4be09ecf97a
Add test to verify insecure redirects to data: URIs are blocked for script modules. r=jonco
Comment 9•7 years ago
|
||
bugherder |
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
status-firefox60:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla60
You need to log in
before you can comment on or make changes to this bug.
Description
•