Closed Bug 1581125 Opened 5 years ago Closed 5 years ago

Should LoginManagerParent verify msg.target's principal against the form origin?

Categories

(Toolkit :: Password Manager, enhancement)

Product:
Toolkit
Component:
Password Manager
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1513003

People

(Reporter: freddy, Unassigned)

Details

(Keywords: sec-want)

I'm filing this bug because of the comment
// TODO Verify msg.target's principals against the formOrigin? in LoginManagerParent.jsm and it seems to me that this might be worth having a bug for.

However, I also noticed that the comment is from 2014 and the code around this has changed significantly, so I'm posing this as a question rather than a fact.

Either way, this is likely not a security bug but a nice-to-have for the future as the child process is not yet limited in which principals it might send.

We're hoping to fix this by the end of the year.

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.