Closed Bug 1497206 Opened 6 years ago Closed 6 years ago

Apply Meta CSP to about:searchreset

Categories

(Core :: DOM: Security, enhancement, P3)

Product:
Core
Component:
DOM: Security
Type:
enhancement

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1521725

People

(Reporter: ckerschb, Assigned: ckerschb)

References

Details

(Whiteboard: [domsecurity-backlog1])

Attachments

(1 file, 1 obsolete file)

bug_1497206_csp_about_searchreset.patch
(deleted), patch
ckerschb
: review+
Details | Diff | Splinter Review
No description provided.
Assignee: nobody → ckerschb
Status: NEW → ASSIGNED
Attached patch bug_1497206_csp_about_searchreset.patch (obsolete) (deleted) — Splinter Review
Attachment #9016597 - Flags: review?(gijskruitbosch+bugs)
Comment on attachment 9016597 [details] [diff] [review] bug_1497206_csp_about_searchreset.patch Review of attachment 9016597 [details] [diff] [review]: ----------------------------------------------------------------- Looks OK to me, but we should check with Florian if it's not possible for the search engine's iconURI to be anything other than a data: URI (like maybe a chrome: or blob: or file: or jar:file: URI).
Attachment #9016597 - Flags: review?(gijskruitbosch+bugs)
Attachment #9016597 - Flags: review?(florian)
Attachment #9016597 - Flags: review+
Comment on attachment 9016597 [details] [diff] [review] bug_1497206_csp_about_searchreset.patch (In reply to :Gijs (he/him) from comment #2) > Comment on attachment 9016597 [details] [diff] [review] > bug_1497206_csp_about_searchreset.patch > > Review of attachment 9016597 [details] [diff] [review]: > ----------------------------------------------------------------- > > Looks OK to me, but we should check with Florian if it's not possible for > the search engine's iconURI to be anything other than a data: URI (like > maybe a chrome: or blob: or file: or jar:file: URI). It looks like bug 1275366 made it possible to use chrome: or resource: urls, but I'm not sure we ever used this new capability. Maybe mkaply knows.
Flags: needinfo?(mozilla)
Attachment #9016597 - Flags: review?(florian)
Yes, we have search engines that use resource URIs and we support chrome URIs as well. Can someone explain what this patch is?
Flags: needinfo?(mozilla)
(In reply to Mike Kaply [:mkaply] from comment #4) > Yes, we have search engines that use resource URIs and we support chrome > URIs as well. How do I have to update the patch so we can remove the data: scheme from the CSP. > Can someone explain what this patch is? Ultimately we would like to apply a Content Security Policy (CSP) all about: pages within Firefox with the intent to add another layer of Security making sure there are no script injection attacks, becuase CSP would block all inline script and all other script not loaded from a chrome: URI.
(In reply to Christoph Kerschbaumer [:ckerschb] from comment #5) > (In reply to Mike Kaply [:mkaply] from comment #4) > > Yes, we have search engines that use resource URIs and we support chrome > > URIs as well. > > How do I have to update the patch so we can remove the data: scheme from the > CSP. I think we'll also need to keep the data: scheme. But I think you should add chrome: and resource: to the img-src directive. With that, I think we're good to go here. We can always tighten things up later.
(In reply to :Gijs (he/him) from comment #6) > I think we'll also need to keep the data: scheme. But I think you should add > chrome: and resource: to the img-src directive. With that, I think we're > good to go here. We can always tighten things up later. Yeah that makes sense to me. Carrying over r+ from Gijs!
Attachment #9016597 - Attachment is obsolete: true
Attachment #9017071 - Flags: review+

There's a r+ patch which didn't land and no activity in this bug for 2 weeks.
:ckerschb, could you have a look please?

Flags: needinfo?(ckerschb)

Before we can apply CSP to system privileged about pages we have to fix Bug 965637, in which we move the CSP from the Principal into the Client. Please note that the Meta Bug 1492063 for applying CSP to system privileged about: pages is blocked by 965637. At the moment we are fixing the last remaining blockers and as soon as we have landed Bug 965637 I'll try to land all the dependencies of Bug 1492063 so we end up having all about: pages secured by a CSP.

Flags: needinfo?(ckerschb)

I am rebasing all of the CSP patches for about: pages, it seems this one got fixed by Bug 1521725.

Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: