Closed Bug 1767395 Opened 3 years ago Closed 3 years ago

Restrict systemprincipal from loading type *SCRIPT* via HTTP, HTTPS

Categories

(Core :: DOM: Security, task, P2)

Product:
Core
Component:
DOM: Security
Type:
task

Tracking

()

Status:
RESOLVED FIXED
Milestone:
102 Branch
Tracking Flags:
Tracking Status
firefox102 --- fixed

People

(Reporter: freddy, Assigned: freddy)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-active])

Attachments

(1 file)

Bug 1767395 disallow loading http/https scripts for systemprincipal r?ckerschb
(deleted), text/x-phabricator-request
Details

+++ This bug was initially created as a clone of Bug #1735117 +++

This copies over the behavior for style & subdocument restrictions.
Admittedly, with this if/else spagetthi, it would be preferable to
turn this into restriction levels or lump some of the known-to-be-safe
prefs together, but I would prefer we wait a couple of cycles to
make sure this makes it all the way to release before we refactor.

Severity: -- → S3
Status: NEW → ASSIGNED
Priority: -- → P2
Whiteboard: [domsecurity-active]
Pushed by fbraun@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/2f9156dc45d4 disallow loading http/https scripts for systemprincipal r=ckerschb,tjr

https://hg.mozilla.org/mozilla-central/rev/2f9156dc45d4

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox102: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 102 Branch
Blocks: 1767581
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: