Re: CPOWs are now almost completely disabled
This is great news! Thanks to everybody involved! On Thu, 28 Jun 2018 at 09:16, Alex Gaynor wrote: > Outstanding! I love a good IPC attack surface reduction! > > Alex > > On Wed, Jun 27, 2018 at 6:54 PM Tom Schuster wrote: > > > Since landing bug 1465911 [1], CPOWs [2] are only functional on our > testing > > infrastructure. In normal builds that we ship to users CPOWs can be > > created, but no operations like property lookup can be performed on them. > > > > CPOWs continue to exist, because a lot of tests still depend on them. We > > can't disable CPOW creation in user builds, because the context menu > passes > > them from the child to the parent and back like a token. > > > > This is a significant IPC attack surface reduction. > > > > [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1465911 > > [2] > > > > > https://developer.mozilla.org/en-US/Firefox/Multiprocess_Firefox/Cross_Process_Object_Wrappers > > ___ > > dev-platform mailing list > > dev-platform@lists.mozilla.org > > https://lists.mozilla.org/listinfo/dev-platform > > > ___ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform > ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: CPOWs are now almost completely disabled
Outstanding! I love a good IPC attack surface reduction! Alex On Wed, Jun 27, 2018 at 6:54 PM Tom Schuster wrote: > Since landing bug 1465911 [1], CPOWs [2] are only functional on our testing > infrastructure. In normal builds that we ship to users CPOWs can be > created, but no operations like property lookup can be performed on them. > > CPOWs continue to exist, because a lot of tests still depend on them. We > can't disable CPOW creation in user builds, because the context menu passes > them from the child to the parent and back like a token. > > This is a significant IPC attack surface reduction. > > [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1465911 > [2] > > https://developer.mozilla.org/en-US/Firefox/Multiprocess_Firefox/Cross_Process_Object_Wrappers > ___ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform > ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: CPOWs are now almost completely disabled
\o/ On Thu, Jun 28, 2018 at 12:52:51AM +0200, Tom Schuster wrote: Since landing bug 1465911 [1], CPOWs [2] are only functional on our testing infrastructure. In normal builds that we ship to users CPOWs can be created, but no operations like property lookup can be performed on them. CPOWs continue to exist, because a lot of tests still depend on them. We can't disable CPOW creation in user builds, because the context menu passes them from the child to the parent and back like a token. This is a significant IPC attack surface reduction. [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1465911 [2] https://developer.mozilla.org/en-US/Firefox/Multiprocess_Firefox/Cross_Process_Object_Wrappers ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: CPOWs are now almost completely disabled
This is awesome - thanks Tom! On Wed, Jun 27, 2018 at 3:53 PM Tom Schuster wrote: > Since landing bug 1465911 [1], CPOWs [2] are only functional on our testing > infrastructure. In normal builds that we ship to users CPOWs can be > created, but no operations like property lookup can be performed on them. > > CPOWs continue to exist, because a lot of tests still depend on them. We > can't disable CPOW creation in user builds, because the context menu passes > them from the child to the parent and back like a token. > > This is a significant IPC attack surface reduction. > > [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1465911 > [2] > > https://developer.mozilla.org/en-US/Firefox/Multiprocess_Firefox/Cross_Process_Object_Wrappers > ___ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform > ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
CPOWs are now almost completely disabled
Since landing bug 1465911 [1], CPOWs [2] are only functional on our testing infrastructure. In normal builds that we ship to users CPOWs can be created, but no operations like property lookup can be performed on them. CPOWs continue to exist, because a lot of tests still depend on them. We can't disable CPOW creation in user builds, because the context menu passes them from the child to the parent and back like a token. This is a significant IPC attack surface reduction. [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1465911 [2] https://developer.mozilla.org/en-US/Firefox/Multiprocess_Firefox/Cross_Process_Object_Wrappers ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform