Enforce AssertEvalNotUsingSystemPrincipal on non-Debug Builds
Categories
(Core :: DOM: Security, task, P2)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox71 | --- | fixed |
People
(Reporter: tjr, Assigned: tjr)
References
(Blocks 1 open bug)
Details
(Whiteboard: [domsecurity-active])
Attachments
(2 files)
In Bug 1567623 we're adding telemetry to look for in-the-wild uses of eval in the system principal context. That code will crash a debug build but will only log an error and allow execution in opt builds.
This bug tracks changing that code to (probably) abort execution of eval() without crashing the process. This might cause unknown errors so that's an argument for crashing instead... but since we believe we've figured out all the uses of eval() in our code this is probably caused by people doing weird things so maybe it'll be safer to give a less obvious (aborted execution) behavior rather than such a disruptive one (crashing)
|
||
Comment 1•5 years ago
|
||
|
||
Updated•5 years ago
|
|
||
Comment 3•5 years ago
|
||
I'm disabling eval() in Nightly builds now in bug 1572568. Please let us know when this bug goes ahead and we reverse the change.
|
Assignee | |
Comment 4•5 years ago
|
||
We log to MOZ_LOG, report an error to the console, send telemetry, and in debug builds - crash
|
|
Assignee | |
Comment 5•5 years ago
|
||
|
|
Assignee | |
Comment 6•5 years ago
|
||
Pushed by tritter@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/7b105dde3945 Move Eval testing logic from nsContentSecurityManager to nsContentSecurityUtils r=ckerschb https://hg.mozilla.org/integration/autoland/rev/ce2f8a6c77c6 Enforce eval restrictions in system contexts and the parent process r=ckerschb
|
||
Comment 8•5 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/7b105dde3945
https://hg.mozilla.org/mozilla-central/rev/ce2f8a6c77c6
Description
•