Skip to content

/ servo

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pipeline ID spoofing when iframes create pipeline ids? #10885

Closed
asajeffrey opened this issue Apr 27, 2016 · 2 comments
Closed

Pipeline ID spoofing when iframes create pipeline ids? #10885

asajeffrey opened this issue Apr 27, 2016 · 2 comments
Assignees
@asajeffrey
Labels
A-constellation A-security

Comments

@asajeffrey
Copy link
Member

@asajeffrey asajeffrey commented Apr 27, 2016

We are thinking about how to make pipeline ids unguessable, so that even if an attacker compromises their own pipeline, they can't escalate to compromise other ones by spoofing pipeline ids in requests to the constellation.

We need to think about #7807 in this context: can an attacker navigate to alice.com, but generate the pipeline id for Alice and then spoof the constellation?

IRC discussion with @Manishearth and @jdm at http://logs.glob.uno/?c=mozilla%23servo&s=27+Apr+2016&e=27+Apr+2016#c416685.
@asajeffrey asajeffrey self-assigned this Apr 27, 2016
@asajeffrey
Copy link
Member Author

@asajeffrey asajeffrey commented Apr 27, 2016

See #10808 and #10542.
@asajeffrey
Copy link
Member Author

@asajeffrey asajeffrey commented Jan 12, 2017

Closed in favour of #10542.
@asajeffrey asajeffrey closed this Jan 12, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@asajeffrey asajeffrey

Labels
A-constellation A-security
Projects
None yet
Milestone
No milestone
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
@asajeffrey @notriddle
You can’t perform that action at this time.