FirstPartyStorageAccessGrantedForOrigin allows a Rogue Content Process to store fraudulent StorageAccessPermission grants
Categories
(Firefox :: Security, enhancement)
Tracking
()
Fission Milestone | Future |
People
(Reporter: tjr, Unassigned)
References
(Depends on 1 open bug, Blocks 1 open bug)
Details
Reporter | ||
Updated•6 years ago
|
Updated•6 years ago
|
Comment 1•5 years ago
|
||
We should (at least) validate that the principal and origins make sense (to
the extent we can, we can at least check the principal) when we receive this
message from the Content Process and ensure they are valid for the content
process it originated from. Ideally we can move the permission check into
the Parent too, but that may not be possible?
This bug is definitely valid, but we cannot move the permission check entirely into the parent process.
If the parent process has an actor, corresponding to the document loaded by the content process, we can move part of the login into the parent process, but I don't know if we have such information. The best would be to have 2 actors for the 2 documents: the first-party and the 3rd party contexts. Probably, fission would help here. NI Nika for this.
Reporter | ||
Comment 2•5 years ago
|
||
This is definitely a post-fission task.
Comment 3•5 years ago
|
||
(In reply to Andrea Marchesini [:baku] from comment #1)
We should (at least) validate that the principal and origins make sense (to
the extent we can, we can at least check the principal) when we receive this
message from the Content Process and ensure they are valid for the content
process it originated from. Ideally we can move the permission check into
the Parent too, but that may not be possible?This bug is definitely valid, but we cannot move the permission check entirely into the parent process.
If the parent process has an actor, corresponding to the document loaded by the content process, we can move part of the login into the parent process, but I don't know if we have such information. The best would be to have 2 actors for the 2 documents: the first-party and the 3rd party contexts. Probably, fission would help here. NI Nika for this.
The PWindowGlobal
actor corresponds to a document loaded by the parent process, so we can likely use that to send the message. Does the principal & URI state in WindowGlobalParent
(https://searchfox.org/mozilla-central/rev/952521e6164ddffa3f34bc8cfa5a81afc5b859c4/dom/ipc/WindowGlobalParent.h#72-75,88-89) help out here?
Updated•2 years ago
|
Description
•