Add ReadOnlyPage to the list of mitigations in scope for the Exploit Mitigation bounty

2021-09-28 14:22:32 -04:00 · 2021-09-28 14:22:32 -04:00 · 50f6c9aae9
--- a/bedrock/security/templates/security/client-bug-bounty.html
+++ b/bedrock/security/templates/security/client-bug-bounty.html
@ -136,6 +136,7 @@
    <li>We do not allow attacker-controlled JavaScript to run in the Parent Process - whether delivered from the internet or provided from a compromised content process. A bypass would be finding a way to execute javascript of your control in the parent process through any mechanism except PAC scripts.</li>
    <li>In Bugs <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1479960">1479960</a>, <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1550900">1550900</a>, and <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1550037">1550037</a> we added support for sharing memory from the parent to child processes where the child process cannot modify the memory, but the parent can. A bypass would be finding a way to modify the memory from the child process.</li>
    <li>The Firefox UI is written in HTML/JavaScript, which means Firefox runs certain scripts with elevated privileges beyond what is ordinarily available to web content. To prevent privilege escalation attacks, Gecko implements a capability-based <a href="https://developer.mozilla.org/en-US/docs/Mozilla/Gecko/Script_security">script security architecture</a> (primarily implemented <a href="https://searchfox.org/mozilla-central/source/js/xpconnect/wrappers">in js/xpconnect/wrappers</a>), including special Xray Wrappers which prevent lesser-privileged JavaScript from confusing higher-privileged or differently-privileged Javascript when scripts interact across privilege boundaries. A bypass would be identifying a plausible exploitation scenario that occurs due to missing or incomplete sanitizing across compartments. A scenario is more likely to be considered “plausible” if it was the source of a past bug or is a code pattern we do elsewhere in-tree (the dependencies of bug <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=929539">929539</a> show some examples which we previously worked to eliminate).</li>
+    <li>We have a <a href="https://searchfox.org/mozilla-central/search?q=ReadOnlyPage&path=">ReadOnlyPage</a> <a href="https://searchfox.org/mozilla-central/rev/3fa5cc437a4937c621ea068ba5dc246f75831633/js/xpconnect/src/nsXPConnect.cpp#1018">implementation</a> which is intended to prevent Data-Only attacks. A bypass would be reliably exploiting a race condition when the memory region is unprotected, finding a bug such that the memory region is left unprotected, or identifying a way around the mitigation to effect a data-only attack on the protected values.</li>
  </ul>

  <p><sup>3</sup>  Some styles are currently allowed by the sanitizer, but limited by the CSP to only allow chrome:// styles, which are part of the build. We will look at style-related issues on a case-by-case basis. We explicitly discourage researchers from re-styling a page for clickjacking attacks because we have a very high bar for an attack.</p>