Found while fuzzing mozilla-central rev a73077366144. Unfrotunately, I don't have a working testcase at the moment but will update if one becomes available.

==28993==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7fdd261b2308 at pc 0x7fdd11fcf088 bp 0x7fdcc55d80d0 sp 0x7fdcc55d80c8
READ of size 4 at 0x7fdd261b2308 thread T1227 (DOM Worker)
    #0 0x7fdd11fcf087 in Kind /src/obj-firefox/dist/include/mozilla/BasePrincipal.h:157:39
    #1 0x7fdd11fcf087 in IsSystemPrincipal /src/obj-firefox/dist/include/mozilla/BasePrincipal.h:336
    #2 0x7fdd11fcf087 in IsSystemPrincipal /src/obj-firefox/dist/include/mozilla/BasePrincipal.h:342
    #3 0x7fdd11fcf087 in IsSystemPrincipal /src/dom/base/nsContentUtils.cpp:5001
    #4 0x7fdd11fcf087 in nsContentUtils::ShouldResistFingerprinting(nsIPrincipal*) /src/dom/base/nsContentUtils.cpp:1978
    #5 0x7fdd15b3b8b9 in mozilla::WebGLContext::InitAndValidateGL(mozilla::WebGLContext::FailureReason*) /src/dom/canvas/WebGLContextValidate.cpp:485:18
    #6 0x7fdd15adb4bc in mozilla::WebGLContext::CreateAndInitGL(bool, std::vector<mozilla::WebGLContext::FailureReason, std::allocator<mozilla::WebGLContext::FailureReason> >*) /src/dom/canvas/WebGLContext.cpp:621:8
    #7 0x7fdd15adf12d in mozilla::WebGLContext::SetDimensions(int, int) /src/dom/canvas/WebGLContext.cpp:842:8
    #8 0x7fdd15a6090f in mozilla::dom::CanvasRenderingContextHelper::UpdateContext(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&) /src/dom/canvas/CanvasRenderingContextHelper.cpp:216:24
    #9 0x7fdd15a602c3 in mozilla::dom::CanvasRenderingContextHelper::GetContext(JSContext*, nsTSubstring<char16_t> const&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /src/dom/canvas/CanvasRenderingContextHelper.cpp:174:19
    #10 0x7fdd15a7e9e6 in mozilla::dom::OffscreenCanvas::GetContext(JSContext*, nsTSubstring<char16_t> const&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /src/dom/canvas/OffscreenCanvas.cpp:113:62
    #11 0x7fdd13473731 in mozilla::dom::OffscreenCanvas_Binding::getContext(JSContext*, JS::Handle<JSObject*>, mozilla::dom::OffscreenCanvas*, JSJitMethodCallArgs const&) /src/obj-firefox/dom/bindings/OffscreenCanvasBinding.cpp:201:64
    #12 0x7fdd158e58a2 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /src/dom/bindings/BindingUtils.cpp:3165:13
    #13 0x7fdd1d1a5fd7 in CallJSNative /src/js/src/vm/Interpreter.cpp:448:13
    #14 0x7fdd1d1a5fd7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /src/js/src/vm/Interpreter.cpp:540
    #15 0x7fdd1d186772 in CallFromStack /src/js/src/vm/Interpreter.cpp:599:10
    #16 0x7fdd1d186772 in Interpret(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:3087
    #17 0x7fdd1d170248 in js::RunScript(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:425:10
    #18 0x7fdd1d1a6adf in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /src/js/src/vm/Interpreter.cpp:568:13
    #19 0x7fdd1d1a8d02 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /src/js/src/vm/Interpreter.cpp:611:8
    #20 0x7fdd1de1b388 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /src/js/src/jsapi.cpp:2667:10
    #21 0x7fdd14eab679 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:267:37
    #22 0x7fdd161a45d5 in Call<nsCOMPtr<mozilla::dom::EventTarget> > /src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:363:12
    #23 0x7fdd161a45d5 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /src/dom/events/JSEventHandler.cpp:205
    #24 0x7fdd16153d1a in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /src/dom/events/EventListenerManager.cpp:1041:22
    #25 0x7fdd16155c49 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /src/dom/events/EventListenerManager.cpp:1239:17
    #26 0x7fdd16136681 in HandleEvent /src/obj-firefox/dist/include/mozilla/EventListenerManager.h:353:5
    #27 0x7fdd16136681 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /src/dom/events/EventDispatcher.cpp:349
    #28 0x7fdd161348b6 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /src/dom/events/EventDispatcher.cpp:551:16
    #29 0x7fdd1613b624 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /src/dom/events/EventDispatcher.cpp:1047:11
    #30 0x7fdd1614336b in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /src/dom/events/EventDispatcher.cpp
    #31 0x7fdd160ed760 in mozilla::DOMEventTargetHelper::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /src/dom/events/DOMEventTargetHelper.cpp:166:17
    #32 0x7fdd16168af7 in mozilla::dom::EventTarget::DispatchEvent(mozilla::dom::Event&) /src/dom/events/EventTarget.cpp:178:13
    #33 0x7fdd17e6a818 in mozilla::dom::MessageEventRunnable::DispatchDOMEvent(JSContext*, mozilla::dom::WorkerPrivate*, mozilla::DOMEventTargetHelper*, bool) /src/dom/workers/MessageEventRunnable.cpp:94:12
    #34 0x7fdd17f0d851 in mozilla::dom::WorkerRunnable::Run() /src/dom/workers/WorkerRunnable.cpp:363:12
    #35 0x7fdd0dedfdf7 in nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:1176:14
    #36 0x7fdd0dee7a34 in NS_ProcessNextEvent(nsIThread*, bool) /src/xpcom/threads/nsThreadUtils.cpp:486:10
    #37 0x7fdd17eed59b in mozilla::dom::WorkerPrivate::DoRunLoop(JSContext*) /src/dom/workers/WorkerPrivate.cpp:2789:7
    #38 0x7fdd17ea8fd4 in mozilla::dom::workerinternals::(anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /src/dom/workers/RuntimeService.cpp:2318:40
    #39 0x7fdd0dedfdf7 in nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:1176:14
    #40 0x7fdd0dee7a34 in NS_ProcessNextEvent(nsIThread*, bool) /src/xpcom/threads/nsThreadUtils.cpp:486:10
    #41 0x7fdd0f2c0c31 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /src/ipc/glue/MessagePump.cpp:303:20
    #42 0x7fdd0f196f9e in RunInternal /src/ipc/chromium/src/base/message_loop.cc:315:10
    #43 0x7fdd0f196f9e in RunHandler /src/ipc/chromium/src/base/message_loop.cc:308
    #44 0x7fdd0f196f9e in MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:290
    #45 0x7fdd0ded8043 in nsThread::ThreadFunc(void*) /src/xpcom/threads/nsThread.cpp:455:11
    #46 0x7fdd3377e0bd in _pt_root /src/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #47 0x7fdd333c06da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
    #48 0x7fdd3239e88e in clone /build/glibc-OTsEL5/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

0x7fdd261b2308 is located 56 bytes to the left of global variable 'mozilla::dom::workerinternals::RuntimeService::sDefaultJSSettings' defined in '/builds/worker/workspace/build/src/dom/workers/RuntimeService.cpp:1132:28' (0x7fdd261b2340) of size 280
0x7fdd261b2308 is located 0 bytes to the right of global variable 'guard variable for mozilla::dom::GetWorkerPrincipal()::sPrincipal' defined in '/builds/worker/workspace/build/src/obj-firefox/dom/workers/Unified_cpp_dom_workers0.cpp' (0x7fdd261b2300) of size 8
SUMMARY: AddressSanitizer: global-buffer-overflow /src/obj-firefox/dist/include/mozilla/BasePrincipal.h:157:39 in Kind
Shadow bytes around the buggy address:
  0x0ffc24c2e410: 01 f9 f9 f9 f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9
  0x0ffc24c2e420: 01 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x0ffc24c2e430: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
  0x0ffc24c2e440: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x0ffc24c2e450: 00 f9 f9 f9 f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9
=>0x0ffc24c2e460: 00[f9]f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x0ffc24c2e470: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffc24c2e480: 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9
  0x0ffc24c2e490: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 01 f9 f9 f9
  0x0ffc24c2e4a0: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
  0x0ffc24c2e4b0: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
Thread T1227 (DOM Worker) created by T0 (file:// Content) here:
    #0 0x5647fd757d4d in __interceptor_pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:210:3
    #1 0x7fdd337701b8 in _PR_CreateThread /src/nsprpub/pr/src/pthreads/ptthread.c:433:14
    #2 0x7fdd33759d9e in PR_CreateThread /src/nsprpub/pr/src/pthreads/ptthread.c:518:12
    #3 0x7fdd0dedafc9 in nsThread::Init(nsTSubstring<char> const&) /src/xpcom/threads/nsThread.cpp:662:8
    #4 0x7fdd17f2055e in mozilla::dom::WorkerThread::Create(mozilla::dom::WorkerThreadFriendKey const&) /src/dom/workers/WorkerThread.cpp:93:7
    #5 0x7fdd17e7451c in mozilla::dom::workerinternals::RuntimeService::ScheduleWorker(mozilla::dom::WorkerPrivate*) /src/dom/workers/RuntimeService.cpp:1437:14
    #6 0x7fdd17e72467 in mozilla::dom::workerinternals::RuntimeService::RegisterWorker(mozilla::dom::WorkerPrivate*) /src/dom/workers/RuntimeService.cpp:1302:19
    #7 0x7fdd17ee6570 in mozilla::dom::WorkerPrivate::Constructor(JSContext*, nsTSubstring<char16_t> const&, bool, mozilla::dom::WorkerType, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, mozilla::dom::WorkerLoadInfo*, mozilla::ErrorResult&) /src/dom/workers/WorkerPrivate.cpp:2281:24
    #8 0x7fdd17e860d1 in mozilla::dom::Worker::Constructor(mozilla::dom::GlobalObject const&, nsTSubstring<char16_t> const&, mozilla::dom::WorkerOptions const&, mozilla::ErrorResult&) /src/dom/workers/Worker.cpp:30:41
    #9 0x7fdd14a913a6 in mozilla::dom::Worker_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /src/obj-firefox/dom/bindings/WorkerBinding.cpp:1139:52
    #10 0x7fdd1d1a9cc7 in CallJSNative /src/js/src/vm/Interpreter.cpp:448:13
    #11 0x7fdd1d1a9cc7 in CallJSNativeConstructor /src/js/src/vm/Interpreter.cpp:464
    #12 0x7fdd1d1a9cc7 in InternalConstruct(JSContext*, js::AnyConstructArgs const&) /src/js/src/vm/Interpreter.cpp:657
    #13 0x7fdd1e3aec52 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /src/js/src/jit/BaselineIC.cpp:3710:10
    #14 0x17aeda7257e7  (<unknown module>)
    #15 0x63100337f71f  (<unknown module>)
    #16 0x17aeda7234de  (<unknown module>)
    #17 0x7fdd1e5a9a6a in EnterBaseline /src/js/src/jit/BaselineJIT.cpp:110:5
    #18 0x7fdd1e5a9a6a in js::jit::EnterBaselineAtBranch(JSContext*, js::InterpreterFrame*, unsigned char*) /src/js/src/jit/BaselineJIT.cpp:198
    #19 0x7fdd1d196116 in Interpret(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:1994:24
    #20 0x7fdd1d170248 in js::RunScript(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:425:10
    #21 0x7fdd1d1a6adf in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /src/js/src/vm/Interpreter.cpp:568:13
    #22 0x7fdd1d1a8d02 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /src/js/src/vm/Interpreter.cpp:611:8
    #23 0x7fdd1de1b388 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /src/js/src/jsapi.cpp:2667:10
    #24 0x7fdd14eb1729 in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /src/obj-firefox/dom/bindings/EventListenerBinding.cpp:52:8
    #25 0x7fdd16153cc2 in HandleEvent<mozilla::dom::EventTarget *> /src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:66:12
    #26 0x7fdd16153cc2 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /src/dom/events/EventListenerManager.cpp:1035
    #27 0x7fdd16155c04 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /src/dom/events/EventListenerManager.cpp:1239:17
    #28 0x7fdd16136681 in HandleEvent /src/obj-firefox/dist/include/mozilla/EventListenerManager.h:353:5
    #29 0x7fdd16136681 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /src/dom/events/EventDispatcher.cpp:349
    #30 0x7fdd161348b6 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /src/dom/events/EventDispatcher.cpp:551:16
    #31 0x7fdd1613b624 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /src/dom/events/EventDispatcher.cpp:1047:11
    #32 0x7fdd1614336b in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /src/dom/events/EventDispatcher.cpp
    #33 0x7fdd12774104 in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /src/dom/base/nsINode.cpp:1029:17
    #34 0x7fdd11fe6286 in nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) /src/dom/base/nsContentUtils.cpp:3947:28
    #35 0x7fdd11fe5ffe in nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*) /src/dom/base/nsContentUtils.cpp:3917:10
    #36 0x7fdd123920b2 in mozilla::dom::Document::DispatchContentLoadedEvents() /src/dom/base/Document.cpp:6317:3
    #37 0x7fdd124ad3fb in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /src/obj-firefox/dist/include/nsThreadUtils.h:1122:12
    #38 0x7fdd124ad3fb in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /src/obj-firefox/dist/include/nsThreadUtils.h:1128
    #39 0x7fdd124ad3fb in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /src/obj-firefox/dist/include/nsThreadUtils.h:1174
    #40 0x7fdd0de9f885 in mozilla::SchedulerGroup::Runnable::Run() /src/xpcom/threads/SchedulerGroup.cpp:295:32
    #41 0x7fdd0dedfdf7 in nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:1176:14
    #42 0x7fdd0dee7a34 in NS_ProcessNextEvent(nsIThread*, bool) /src/xpcom/threads/nsThreadUtils.cpp:486:10
    #43 0x7fdd0f2bf4cf in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /src/ipc/glue/MessagePump.cpp:88:21
    #44 0x7fdd0f196f9e in RunInternal /src/ipc/chromium/src/base/message_loop.cc:315:10
    #45 0x7fdd0f196f9e in RunHandler /src/ipc/chromium/src/base/message_loop.cc:308
    #46 0x7fdd0f196f9e in MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:290
    #47 0x7fdd1889f473 in nsBaseAppShell::Run() /src/widget/nsBaseAppShell.cpp:137:27
    #48 0x7fdd1cecd10e in XRE_RunAppShell() /src/toolkit/xre/nsEmbedFunctions.cpp:911:20
    #49 0x7fdd0f196f9e in RunInternal /src/ipc/chromium/src/base/message_loop.cc:315:10
    #50 0x7fdd0f196f9e in RunHandler /src/ipc/chromium/src/base/message_loop.cc:308
    #51 0x7fdd0f196f9e in MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:290
    #52 0x7fdd1cecc27c in XRE_InitChildProcess(int, char**, XREChildData const*) /src/toolkit/xre/nsEmbedFunctions.cpp:749:34
    #53 0x5647fd7a266e in content_process_main /src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #54 0x5647fd7a266e in main /src/browser/app/nsBrowserApp.cpp:263
    #55 0x7fdd3229eb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

==28993==ABORTING

Ehsan, it looks like you have looked at some of this fingerprinting code in bug 1547073 and bug 1532402. Maybe you have some idea what might be going wrong here? Thanks.

Talking with baku about this...

The problem here is that this code is calling nsContentUtils::ObjectPrincipal() which is unsafe to call off the main thread.

Note that while everything from 67 and above is affected, the bug can be triggered only using OffscreenCanvas which is disabled by default.

Comment on attachment 9070652 [details]
Bug 1557409 - Part 1: Make sure nsIGlobalObject::PrincipalOrNull() returns null when called off the main thread;

Security Approval Request

• How easily could an exploit be constructed based on the patch?: Technically easily, given that part 1 adds a main-thread check. But in reality the OfflineCanvas feature is disabled by default, so it would be impossible to create a working exploit based on this patch.
• Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
• Which older supported branches are affected by this flaw?: release 67
• If not all supported branches, which bug introduced the flaw?: Bug 1532414
• Do you have backports for the affected branches?: Yes
• If not, how different, hard to create, and risky will they be?:
• How likely is this patch to cause regressions; how much testing does it need?: Not risky, since the affected feature is disabled by default.

Sorry, I didn't mean to mess with the tracking flags, only the disabled thing.

IMO this doesn't really need to be tracked for older branches if it is disabled by default. It is nice to have it tracked on m-c in case it gets enabled or whatever.

Since this is disabled by default, and is not a supported configuration, we should be able to just land this on Nightly. I don't think we need to treat this as a sec-high.

We mark bugs with the rating they'd have if whatever thing was actually enabled, but yeah this doesn't need sec-approval, because it does not actually affect any branch in the default configuration.

Comment on attachment 9070652 [details]
Bug 1557409 - Part 1: Make sure nsIGlobalObject::PrincipalOrNull() returns null when called off the main thread;

Clearing sec-approval for the reasons noted.

https://hg.mozilla.org/integration/autoland/rev/789fba0b7174cd5a6d6c1506173e50893f2d57fd
https://hg.mozilla.org/integration/autoland/rev/fb82f90e1e6e1d89d66bc3ee9c19c918b3b3c65d
https://hg.mozilla.org/mozilla-central/rev/789fba0b7174
https://hg.mozilla.org/mozilla-central/rev/fb82f90e1e6e