Open Bug 1487526 Opened 6 years ago Updated 2 years ago

Service Worker Removal Forgery through IPC

Tracking

()

Status:

NEW

Project Flags:

Fission Milestone

Future

People

(Reporter: tjr, Unassigned)

References

(Depends on 1 open bug, Blocks 1 open bug)

Details

(Keywords: sec-want)

Tom Ritter [:tjr] (Back 9/5)

Reporter

Description

•

6 years ago

Many of the IPc methods in https://searchfox.org/mozilla-central/source/dom/serviceworkers/PServiceWorkerManager.ipdl take a Host or Origin from the child and will remove or otherwise act on Service Workers for that domain without validating the content process sending the message is authorized to act on that Service Worker. We should validate the domain supplied from the Content Process to ensure that the message is authorized.

Andrew McCreight [:mccr8]

Updated

•

6 years ago

Priority: -- → P3

Andrew McCreight [:mccr8]

Updated

•

6 years ago

Keywords: sec-want

Tom Ritter [:tjr] (Back 9/5)

Reporter

Updated

•

6 years ago

Depends on: fission-ipc-map

Tom Ritter [:tjr] (Back 9/5)

Reporter

Updated

•

6 years ago

See Also: → https://bugzilla.mozilla.org/show_bug.cgi?id=1491119

Chris Peterson [:cpeterson]

Comment 1

•

5 years ago

This bug is not a Fission MVP blocker.

Fission Milestone: --- → Future

Andrew Sutherland [:asuth] (he/him)

Updated

•

4 years ago

Summary: Service Work Removal Forgery through IPC → Service Worker Removal Forgery through IPC

BMO Automation

Updated

•

2 years ago

Severity: normal → S3

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

Service Worker Removal Forgery through IPC

Categories

(Core :: DOM: Service Workers, enhancement, P3)

Tracking

()

People

(Reporter: tjr, Unassigned)

References

(Depends on 1 open bug, Blocks 1 open bug)

Details

(Keywords: sec-want)

Crash Data

Security

(public)

User Story

Description

Updated

Updated

Updated

Updated

Comment 1

Updated

Updated