Open
Bug 1804261
Opened 2 years ago
Updated 2 years ago
Perform early partial JavaScript validation for ORB
Categories
(Core :: DOM: Networking, enhancement, P3)
Core
DOM: Networking
Tracking
()
NEW
People
(Reporter: farre, Unassigned)
References
(Blocks 2 open bugs)
Details
(Whiteboard: [orb:m2][necko-triaged])
JS validation is the catch-all of all data coming through the ORB safelist check, and it's supposed to block not just JSON, but also all other incoming data not parsable as JavaScript, e.g. a font file, some random huge ISO and so on.
By doing an early check for failure, we can block a malicious site ("http://evil.site") from doing a huge Window.fetch("http://lawful.site/path-to-a-huge.iso", {mode: "no-cors"}), probably on the first OnDataAvailable. This way we'll decrease network traffic for the user, as well as saving CPU-cycles, and also prevent evil.site from DDoS'ing lawful.site.
|
||
Updated•2 years ago
|
Whiteboard: [orb:m2] → [orb:m2][necko-triaged]
|
|
||
Updated•2 years ago
|
Priority: -- → P3
|
|
||
Updated•2 years ago
|
Severity: -- → N/A
|
||
Updated•2 years ago
|
Whiteboard: [orb:m2][necko-triaged] → [orb:m2][necko-triaged][sp3]
|
||
Updated•2 years ago
|
See Also: → https://mozilla-hub.atlassian.net/browse/SP3-208
|
|
||
Updated•2 years ago
|
See Also: https://mozilla-hub.atlassian.net/browse/SP3-208 →
Whiteboard: [orb:m2][necko-triaged][sp3] → [orb:m2][necko-triaged]
You need to log in
before you can comment on or make changes to this bug.
Description
•