info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Intent to ship: Treating 'data:' documents as unique, opaque origins
179 views
Skip to first unread message
Christoph Kerschbaumer
Aug 8, 2017, 9:13:41 AM8/8/17
to dev-pl...@lists.mozilla.org
Hey Everyone,
we plan to change the handling of data: URLs for FF57. Rather than inheriting the origin of the settings object responsible for the navigation, data: URIs will be treated as unique, opaque origins [0]. In other words, data: URLs loaded inside an iframe are not same-origin with their including context anymore. Not only will that behavior mitigate the risk of XSS, it will also make Firefox spec compliant [0] and compliant with the behavior of other browsers which all have been shipping that behavior for a long time.
Over the past weeks we have converted hundreds of tests within our test suite to comply with the new data: URI inheritance model. Please note that we have test coverage for both worlds, the new, as well as the old behavior. By now we have a green TRY run for Linux, but have to do a few follow ups for other platforms since some of the failing tests were disabled on Linux. Anyway, currently this feature lives behind the pref |security.data_uri.unique_opaque_origin| which we plan to flip for FF57 so data: documents become unique, opaque, origins.
Even though we have good test coverage we are currently extending web platform tests to make sure behavior is consistent across browsers. We don’t think that adding those additional tests should hold us back from flipping the pref. Ideally we suggest to flip the pref rather sooner than later to eliminate potential issues early in Nightly.
Overall progress of the project will be tracked here [1].
Thanks,
Christoph, Ethan, Henry, and Yoshi
[0] https://html.spec.whatwg.org/multipage/origin.html#origin <https://html.spec.whatwg.org/multipage/origin.html#origin>
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1324406 <https://bugzilla.mozilla.org/show_bug.cgi?id=1324406>
we plan to change the handling of data: URLs for FF57. Rather than inheriting the origin of the settings object responsible for the navigation, data: URIs will be treated as unique, opaque origins [0]. In other words, data: URLs loaded inside an iframe are not same-origin with their including context anymore. Not only will that behavior mitigate the risk of XSS, it will also make Firefox spec compliant [0] and compliant with the behavior of other browsers which all have been shipping that behavior for a long time.
Over the past weeks we have converted hundreds of tests within our test suite to comply with the new data: URI inheritance model. Please note that we have test coverage for both worlds, the new, as well as the old behavior. By now we have a green TRY run for Linux, but have to do a few follow ups for other platforms since some of the failing tests were disabled on Linux. Anyway, currently this feature lives behind the pref |security.data_uri.unique_opaque_origin| which we plan to flip for FF57 so data: documents become unique, opaque, origins.
Even though we have good test coverage we are currently extending web platform tests to make sure behavior is consistent across browsers. We don’t think that adding those additional tests should hold us back from flipping the pref. Ideally we suggest to flip the pref rather sooner than later to eliminate potential issues early in Nightly.
Overall progress of the project will be tracked here [1].
Thanks,
Christoph, Ethan, Henry, and Yoshi
[0] https://html.spec.whatwg.org/multipage/origin.html#origin <https://html.spec.whatwg.org/multipage/origin.html#origin>
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1324406 <https://bugzilla.mozilla.org/show_bug.cgi?id=1324406>
Daniel Veditz
Aug 8, 2017, 11:40:44 AM8/8/17
to Christoph Kerschbaumer, dev-pl...@lists.mozilla.org
On Tue, Aug 8, 2017 at 6:12 AM, Christoph Kerschbaumer <cker...@gmail.com>
wrote:
> compliant with the behavior of other browsers which all have been shipping
> that behavior for a long time.
>
No other browser has _ever_ treated data: the way we do. The spec at one
time said they should because it makes a kind of logical sense--later
<iframe srcdoc=> was invented to get the behavior we already had!--but in
practice it just makes Firefox users vulnerable to web site bugs that
affect no one else.
-
Dan Veditz
wrote:
> compliant with the behavior of other browsers which all have been shipping
> that behavior for a long time.
>
time said they should because it makes a kind of logical sense--later
<iframe srcdoc=> was invented to get the behavior we already had!--but in
practice it just makes Firefox users vulnerable to web site bugs that
affect no one else.
-
Dan Veditz
s.h.h...@gmail.com
Aug 11, 2017, 5:08:59 PM8/11/17
to
When are you expecting to land this to nightly?
Christoph Kerschbaumer
Aug 12, 2017, 8:52:49 AM8/12/17
to s.h.h...@gmail.com, dev-pl...@lists.mozilla.org
> On 11 Aug 2017, at 23:08, s.h.h...@gmail.com wrote:
>
> When are you expecting to land this to nightly?
> _______________________________________________
> dev-platform mailing list
> dev-pl...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform
0 new messages