Closed Bug 1767581 Opened 3 years ago Closed 2 years ago

Restrict privileged about principals from loading type *SCRIPT* via HTTP, HTTPS

Categories

(Core :: DOM: Security, task, P2)

Product:
Core
Component:
DOM: Security
Type:
task

Tracking

()

Status:
RESOLVED FIXED
Milestone:
102 Branch
Tracking Flags:
Tracking Status
firefox102 --- fixed

People

(Reporter: dveditz, Assigned: freddy)

References

(Depends on 1 open bug, Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-active])

Attachments

(2 files)

Bug 1767581 - refactor systemprincipal restrictions, disallow loads without finaluri r?ckerschb,dveditz
(deleted), text/x-phabricator-request
Details
Bug 1767581 - restrict loads of http/https scripts in the privilegedabout process r?dveditz,ckerschb,tjr
(deleted), text/x-phabricator-request
Details

+++ This bug was initially created as a clone of Bug #1767395 +++

what bug 1767395 is doing for SystemPrincipal contexts, we should also do for semi-privileged about: and Web Extension contexts.

Should double-check w/Web Extension folks that this is OK, but since they already have a policy against remote loading of script, it should be fine to enforce it in code.

Flags: needinfo?(awagner)

Ah, we do not have a notion of a "semi-privileged about context", but it might be easier to just do it based on the process type (e.g., https://searchfox.org/mozilla-central/rev/997a56b018662e2940c99bbaf57a6ac9d1aa5422/dom/ipc/ProcessIsolation.cpp#123-150).
I'll throw together a prototype.

For WebExtensions, I'm not sure if a process-based or a principal-based restriction would work and there are various questions:

  • What about privileged Mozilla extensions? Do they run in the parent or in the WebExt process? Do they need to run external script?
  • Do we allow weird shenanigans for enterprisey extensions?

Hoping to get an answer from the extension folks :)

This sounds good to me on a high-level but I don't know enough about Firefox internals to fully understand all consequences and identify potential edge-cases. Shane, could you weigh in here and flag this for others in the team could provide input?

Flags: needinfo?(awagner) → needinfo?(scaraveo)

This is a bit of a refactor. We need to remove an early-return
for loads that are not from the SystemPrincipal, which moves
some easier checks (allowed content-types) up, to allow for more
efficient early returns.

We'll keep the spagetthi code for existing checks, to be able
to easily iterate and pref-flip if things fail later in the cycle.

This also resolves bug 1638770 and removes the "disallow all"
-pref that proved not be a useful approach anyway.

Please file a separate bug for webextensions.

We'll have to think through this (I haven't as of writing this comment). I'd certainly be inclined to make it happen at least for MV3.

they already have a policy against remote loading of script, it should be fine

Having a policy, and real world can be different things

Flags: needinfo?(scaraveo)
Depends on: 1767798
Assignee: nobody → fbraun
Attachment #9274929 - Attachment description: WIP: Bug 1767581 - disallow remote scripts from privileged about pages → Bug 1767581 - disallow remote scripts from privileged about pages r?ckerschb,dveditz
Status: NEW → ASSIGNED
Summary: Restrict WebExtension and privileged about principals from loading type *SCRIPT* via HTTP, HTTPS → Restrict privileged about principals from loading type *SCRIPT* via HTTP, HTTPS
Attachment #9274929 - Attachment description: Bug 1767581 - disallow remote scripts from privileged about pages r?ckerschb,dveditz → Bug 1767581 - refactor systemprincipal restrictions, disallow loads without finaluri r?ckerschb,dveditz
Pushed by fbraun@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/9e1c758297d8 refactor systemprincipal restrictions, disallow loads without finaluri r=ckerschb,tjr https://hg.mozilla.org/integration/autoland/rev/b892e222c4d5 restrict loads of http/https scripts in the privilegedabout process r=dveditz

https://hg.mozilla.org/mozilla-central/rev/9e1c758297d8
https://hg.mozilla.org/mozilla-central/rev/b892e222c4d5

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox102: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 102 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: