(Low priority, but illustrative) In https://searchfox.org/mozilla-central/source/netwerk/dns/PDNSRequest.ipdl, CancelDNSRequest takes a hostname and an OriginAttributes member. It will cancel any pending DNS request that it can find that matches that hostname, OriginAttributes and flags. While a content process legitimately needs to be able to look up any domain name it wants; the OriginAttributes should only correspond to a legitimate origin being used by that Content Process. A rogue content process could forge the OriginAttributes and result in canceling DNS requests made by other Content Processes. We should validate the OriginAttributes sent by the Content Process and ensure the host present matches the Content Process. I expected to find a corresponding method that _created_ a DNSRequest, but was not able to. If it does exist, it might be forgable also. It's a fairly low-power DOS attack, but it's illustrative of the concern.

I take it back, the corresponding creation method appears to be PDNSRequest(nsCString hostName, OriginAttributes originAttributes, uint32_t flags) in https://searchfox.org/mozilla-central/source/netwerk/ipc/PNecko.ipdl The OriginAttirbutes there needs to be validated as well.

Also HTMLDNSPrefetch and CancelHTMLDNSPrefetch in PNecko.ipdl

We should fix this. Daniel, do you have time?

What's the impact of this when used maliciously? Rogue content that guesses/knows the name resolves of another tab and kills them so that the other tab can't show images, load css etc? Possibly even not following links. And of course kill prefetch of the other tab?

(In reply to Daniel Stenberg [:bagder] from comment #4) > What's the impact of this when used maliciously? Rogue content that > guesses/knows the name resolves of another tab and kills them so that the > other tab can't show images, load css etc? Possibly even not following > links. And of course kill prefetch of the other tab? That sounds right. It might even be more limited. when I tried to trace this code, it seemed like the DNS requests may only be generated by Prefetch code. I'm not certain though. As it is, this can't be fixed right now because we don't yet have the infrastructure to validate the OriginAttributes. Also, as I noted, this is pretty low priority comparatively to other fission IPC bugs.