Open Bug 1670242 (site-isolation-principal-vetting) Opened 4 years ago Updated 2 years ago

[meta] Harden Site-Isolation by introducing IPC based Principal vetting

Categories

(Core :: DOM: Security, task, P3)

Product:
Core
Component:
DOM: Security
Type:
task

Tracking

()

Status:
ASSIGNED

People

(Reporter: ckerschb, Assigned: ckerschb)

References

(Depends on 4 open bugs, Blocks 1 open bug)

Details

(Keywords: meta, Whiteboard: [domsecurity-meta])

When we load a document in Fission, we load URL into a specific content process. Within this project we wanna make sure that a URL assigned to a specific content process can only send Principals up to the parent process that match the URL of that content process.

While that obviously does not work in all the cases, because e.g. we create Principals for images loaded into a document which might be cross origin, the TriggeringPricnipal should always match the URL of the content process.

We will need a multitude of sub bugs for this project to realize, because there a multitude of different load scenarios, so let's keep this bug as a meta bug.

Depends on: 1670244
Severity: -- → N/A
Priority: -- → P3
Depends on: 1671166
Depends on: 1672648
Depends on: 1678310
Alias: site-isolation-principal-vetting
Depends on: 1690844
Depends on: 1696391
Depends on: 1699389
Depends on: 1700639
Blocks: 1639200
No longer blocks: 1639200
Depends on: 1639200
Depends on: 1701670
Depends on: 1703323
Depends on: 1706407
Depends on: 1758161
You need to log in before you can comment on or make changes to this bug.