New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update Scanner: all cross-site request from old versions/diffs of pages are blocked #55
Comments
I actually missed the specific problem the user was pointing out, which isn't cross-site request from images and such but rather link clicks. The origins of link clicks are
I have this comment in [browser:src/components/requestpolicyService.js?rev=289%3A0d3416431910#L1438 _isInternalRequest in requestpolicyService.js]: {{{ Plus, the way things currently are it doesn't appear to be possible for a user to work around this by whitelisting the origin 'moz-nullprincipal:', anyways, because of: {{{ Another note: that uuid seems to change with each click of a given link. Just figured I'd mention this as it may be important when looking into this again. In short, as it stands, there is no workaround at all at the moment for enabling link clicks from pages or diffs stored by Update Scanner, other than "temporarily allow all requests". Note: edited comment to break up nullprincipal addresses that might look like revisions. Bug in mercurial trac: http://trac.edgewall.org/ticket/8927 |
A good summary Justin - thanks for looking into this. As you mentioned, the requests are coming from a !data:// URL in an iframe, so it's difficult for you to identify whether they are safe. Using a !data:// URL has been the only secure solution I've been able to find to display untrusted content inside a chrome iframe. It is a slightly unusual solution however, and has caused a few extension conflict problems. I'd be eager to hear any other ideas you might have to do this (my email is attached). Pete |
The problem with link clicks from Update Scanner webpage versions/diffs being blocked has been resolved as of !RequestPolicy 0.5.17. Specifically, r380 and r381 (the fix for #134) translates moz-nullprincipal origins to the true origin so !RequestPolicy can use the true origin to determine if the request was from a link click. The remaining conflict with Update Scanner, afaik, is that there is no way to selectively whitelist requests made when viewing a specific version or diff with Update Scanner. One can allow most of these requests by whitelisting the origin |
One more problem I'm aware of: the !RequestPolicy menu gets confused/confusing sometimes when viewing versions/diffs with Update Scanner. |
Fixed in r407 and r408. This solution is a combination of:
I tried to make these changes as general as possible in the hope that they would be applicable in cases other than Update Scanner. I don't doubt there may be other conflicts with Update Scanner or blocked requests that turn out not to be easy to whitelist. Separate tickets should probably be opened for those issues unless the current changes aren't really working as well as I believe they are. Note that I see some different behavior with Firefox 3.6.13 + Update Scanner 3.1.3 (most recent for Firefox 3) vs. Firefox 4.0b12pre + Update Scanner 3.1.4 (most recent for Firefox 4). I don't know if these differences are due to Firefox changes or Update Scanner changes. The major difference I've seen is that the RP menu with Firefox 3 + Update Scanner 3.1.3 doesn't show individual destinations but one can still "temporarily allow all from data:text/html". When using Firefox 4 with Update Scanner 3.1.4, one does see the individual destinations and can "temporarily allow all from data:text/html to example.com". Given that the better behavior is on Firefox 4, I'm not inclined to look into this further nor to try to fix this for Update Scanner + RP on Firefox 3. |
These changes are included in !RequestPolicy 0.5.19a2. https://www.requestpolicy.com/releases/requestpolicy-0.5.19a2.xpi |
A user asks:
Is there any way to enable the links in Update Scanner while Request Policy is enabled? I tried whitelisting chrome://updatescan/content/, but that did not help.
Here's what I can see from some quick testing:
Update Scanner saves old versions of pages one wants to monitor. When looking at the old versions of pages or at the differences, all cross-site requests are blocked. The url will be something like:
{{{
chrome://updatescan/content/diffPage.xul?id=63&title=Slashdot%20-%20News%20for%20nerds%2C%20stuff%20that%20matters
&newDate=today%20at%209%3A28&oldDate=today%20at%209%3A28&url=http%3A//slashdot.org/&view=old
}}}
However, the blocked requests will be from two origins:
So that's why the user's attempt at whitelisting "chrome://updatescan/content/" failed: the requests aren't coming from that origin even though that's what's in the visible url when using Update Scanner. Because the blocked requests have non-chrome origins, they don't get automatically allowed. However, there may not be an easy way to whitelist these without being at risk from attacks whose origins involve
about:blank
ordata:
.The additionally sad thing here is that the user points out that the breakage only happens with the newer version of Update Scanner that fixed their highly-publicized vulnerability from August. This may lead some people to want to keep using the old version of Update Scanner if they aren't aware of the vulnerability.
The text was updated successfully, but these errors were encountered: