Disable eval() usage if the user has a PAC Script set (or we are executing a pac script)
Categories
(Core :: DOM: Security, defect, P2)
Tracking
()
People
(Reporter: tjr, Assigned: tjr)
References
(Blocks 1 open bug)
Details
(Whiteboard: [domsecurity-active])
Attachments
(1 file)
(deleted),
text/x-phabricator-request
|
pascalc
:
approval-mozilla-beta+
|
Details |
In Berlin, late at night, :nika suggested that the remaining traces of eval() occurring might be coming from PAC Scripts. Let's disable the eval assertions then and see what happens!
Assignee | ||
Comment 1•5 years ago
|
||
network.proxy.autoconfig_url
Updated•5 years ago
|
Assignee | ||
Comment 2•5 years ago
|
||
Comment 4•5 years ago
|
||
bugherder |
Assignee | ||
Comment 5•5 years ago
|
||
[Tracking Requested - why for this release]:
In Bug 1611238 in 74 we are going to enforce eval restrictions. In this bug we believe we have identified what may be some last lingering sources of the telemetry we were seeing. Here we'll disable the eval restrictions for PAC Scripts. Not taking this in 74 would mean that 74 in release, if a PAC script used eval - it would not work.
We should either hold back Bug 1611238 or uplift this bug to 74. I'd prefer t uplift this bug, because it's a safe uplift (it's disabling a security feature) and I'd prefer to avoid holding back the security feature for another release.
Assignee | ||
Comment 6•5 years ago
|
||
Comment on attachment 9127955 [details]
Bug 1614008 - Disable eval checks for PAC Scripts r?jandem
Beta/Release Uplift Approval Request
- User impact if declined: See Comment 5
- Is this code covered by automated tests?: No
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): This is a small patch that disables a security check.
- String changes made/needed:
Updated•5 years ago
|
Comment 7•5 years ago
|
||
Comment on attachment 9127955 [details]
Bug 1614008 - Disable eval checks for PAC Scripts r?jandem
The justification seems reasonable to me, uplift approved for 74.0b8, thanks.
Comment 8•5 years ago
|
||
bugherder uplift |
Description
•