Re: Intent to ship: Treating 'data:' documents as unique, opaque origins

2017-08-12 Thread Christoph Kerschbaumer


> On 11 Aug 2017, at 23:08, s.h.h.n@gmail.com wrote:
> 
> When are you expecting to land this to nightly?

There are a few more tests to convert to comply with the new data URI 
inheritance model and some other cleanups. Let's target Monday, 21st of august 
to flip the switch.

> ___
> dev-platform mailing list
> dev-platform@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform


Intent to ship: Treating 'data:' documents as unique, opaque origins

2017-08-11 Thread s . h . h . n . j . k
When are you expecting to land this to nightly?
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform


Re: Intent to ship: Treating 'data:' documents as unique, opaque origins

2017-08-08 Thread Daniel Veditz
On Tue, Aug 8, 2017 at 6:12 AM, Christoph Kerschbaumer 
wrote:

> compliant with the behavior of other browsers which all have been shipping
> that behavior for a long time.
>

No other browser has _ever_ treated data: the way we do. The spec at one
time said they should because it makes a kind of logical sense--later
 was invented to get the behavior we already had!--​but in
practice it just makes Firefox users vulnerable to web site bugs that
affect no one else.

-
​Dan Veditz​
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform


Intent to ship: Treating 'data:' documents as unique, opaque origins

2017-08-08 Thread Christoph Kerschbaumer
Hey Everyone,

we plan to change the handling of data: URLs for FF57. Rather than inheriting 
the origin of the settings object responsible for the navigation, data: URIs 
will be treated as unique, opaque origins [0]. In other words, data: URLs 
loaded inside an iframe are not same-origin with their including context 
anymore. Not only will that behavior mitigate the risk of XSS, it will also 
make Firefox spec compliant [0] and compliant with the behavior of other 
browsers which all have been shipping that behavior for a long time.

Over the past weeks we have converted hundreds of tests within our test suite 
to comply with the new data: URI inheritance model. Please note that we have 
test coverage for both worlds, the new, as well as the old behavior. By now we 
have a green TRY run for Linux, but have to do a few follow ups for other 
platforms since some of the failing tests were disabled on Linux. Anyway, 
currently this feature lives behind the pref 
|security.data_uri.unique_opaque_origin| which we plan to flip for FF57 so 
data: documents become unique, opaque, origins.

Even though we have good test coverage we are currently extending web platform 
tests to make sure behavior is consistent across browsers. We don’t think that 
adding those additional tests should hold us back from flipping the pref. 
Ideally we suggest to flip the pref rather sooner than later to eliminate 
potential issues early in Nightly.

Overall progress of the project will be tracked here [1].

Thanks,
 Christoph, Ethan, Henry, and Yoshi

[0] https://html.spec.whatwg.org/multipage/origin.html#origin 

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1324406 

___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform