Open Bug 1432831 Opened 7 years ago Updated 2 years ago

validate HttpChannelOpenArgs in HttpChannelParent::init() for sanity

Categories

(Core :: Networking: HTTP, enhancement, P3)

enhancement

Tracking

()

Fission Milestone Future

People

(Reporter: bkelly, Unassigned)

References

(Blocks 2 open bugs)

Details

(Whiteboard: [necko-triaged])

Towards our goal of improving security and process isolation we should consider validating arguments when messages are received in the parent. A good place to start might be our nsIChannel protocols like PHttpChannel. If we validated the HttpChannelOpenArgs in HttpChannelParent::Init() we could check: 1. Verify that various URIs and principals are internally consistent. We have particular sets of values that are allowed for the combination of loading principal, triggering principal, principalToInherit, ClientInfo values, service worker controller values, various flags, etc. We should check that these are sane. This could be done via an approach like bug 1430159 or just done directly in HttpChannelParent::Init(). 2. For subresource requests verify that the loading principal matches a window/worker client that exists in the sending content process. This would require the API from bug 1432825. It would also need to be an async check. Maybe there are more things we could check as well once we start digging into it.
Also, if we pick a specific protocol to start with (like PHttpChannel) then it might help us build primitives and best practices we can use to get other protocols locked down.
Priority: -- → P3
Whiteboard: [necko-triaged]
See also bug 1325647 - Julian doesnt work at mozilla but if we looking for IPDL validation helpers this might be a start.
Yes! When I dug into this, I had felt we could verify every LoadingPrincipal we received from the Content Process to match against the expected origin for that content process.
Blocks: fission-ipc

hardening bug

This bug is not a Fission MVP blocker.

Fission Milestone: --- → Future
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.