Skip to content
This repository has been archived by the owner on Dec 11, 2019. It is now read-only.

Fixed access-control-allow-origin: * set on about: pages #4913

Closed
diracdeltas opened this issue Oct 18, 2016 · 5 comments · Fixed by #7484
Closed

Fixed access-control-allow-origin: * set on about: pages #4913

diracdeltas opened this issue Oct 18, 2016 · 5 comments · Fixed by #7484
Assignees
@diracdeltas
Labels
QA/checked-Linux QA/checked-macOS QA/checked-Win32 QA/checked-Win64 QA/test-plan-specified release-notes/include security
Milestone
0.14.0

Comments

@diracdeltas
Copy link
Member

diracdeltas commented Oct 18, 2016
edited by luixxiul
Loading

Test plan

#7484 (comment)

reported along with #4885
@diracdeltas diracdeltas self-assigned this Oct 18, 2016
@diracdeltas diracdeltas added this to the 0.12.6dev milestone Oct 18, 2016
@diracdeltas diracdeltas modified the milestones: 0.12.7dev, 0.12.6dev Oct 19, 2016
This was referenced Oct 20, 2016
Closed
Closed
@srirambv
Copy link
Collaborator

srirambv commented Oct 20, 2016
edited
Loading

Only step1 mentioned in 186113e passed
#4885 steps fails, reopened the issue

@alexwykoff alexwykoff mentioned this issue Oct 21, 2016
Closed
@alexwykoff alexwykoff mentioned this issue Oct 22, 2016
Closed
@diracdeltas
Copy link
Member Author

This regressed with dbc0796. cc @bridiver

@diracdeltas diracdeltas reopened this Mar 3, 2017
@diracdeltas diracdeltas modified the milestones: 0.13.6, 0.12.6dev Mar 3, 2017
diracdeltas added a commit that referenced this issue Mar 3, 2017
@diracdeltas
remove about:preferences from web_accessible_resources
347458e 
fix #4913

Auditors: @bridiver

Test Plan:
1. open about:preferences and open devtools
2. the top-level HTTP response should not show an 'Access-Control-Allow-Origin' header
@diracdeltas diracdeltas mentioned this issue Mar 3, 2017
Merged
4 tasks
@bridiver
Copy link
Collaborator

bridiver commented Mar 3, 2017

if this is the issue dbc0796#diff-11e9f7f953edc64ba14b0cc350ae7b9dR82 it is development only for webpack so I don't think the security issue really applies

@diracdeltas
Copy link
Member Author

@bridiver the issue is dbc0796#diff-a533e12744082c16911d52f54573e441R133 and it's in the released builds

@bridiver
Copy link
Collaborator

bridiver commented Mar 4, 2017

yea, I don't think any of those pages need to be in there

diracdeltas added a commit that referenced this issue Mar 7, 2017
@diracdeltas
remove about pages from web_accessible_resources
437213c 
fix #4913

Auditors: @bridiver

Test Plan:
1. open about:preferences and open devtools
2. the top-level HTTP response should not show an 'Access-Control-Allow-Origin' header
This was referenced Mar 14, 2017
Closed
Closed
Closed
Closed
Closed
This was referenced Mar 17, 2017
Closed
Closed
@alexwykoff alexwykoff mentioned this issue Mar 21, 2017
Closed
@alexwykoff alexwykoff changed the title [HackerOne] access-control-allow-origin: * set on about: pages Fixed access-control-allow-origin: * set on about: pages Mar 28, 2017
This was referenced Mar 28, 2017
Closed
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@diracdeltas diracdeltas

Labels
QA/checked-Linux QA/checked-macOS QA/checked-Win32 QA/checked-Win64 QA/test-plan-specified release-notes/include security
Projects
None yet
Milestone
0.14.0
Development

Successfully merging a pull request may close this issue.

remove about:preferences from web_accessible_resources brave/browser-laptop
7 participants
@bridiver @diracdeltas @bbondy @alexwykoff @luixxiul @srirambv @cndouglas