Hi Jordan, Thanks so much for bringing this to our attention.
I went through the test suite on both desktop Firefox and mobile Fennec. I did not see any failures. The tests can be confusing. For instance, test 8 has alert boxes with a message that indicates it might have failed. However, a close read of the instructions on the page indicate to the contrary, and it appears that - all things considered - no SOP violation has occurred. If you have seen anything to the contrary, please contact me directly and I'd be more than happy to take another look. Best, Matt On Mon, Jul 11, 2016 at 5:42 PM, Michael Comella < michael.l.come...@gmail.com> wrote: > Hey Jordan. > > Thanks for the feedback – I'll pass this on to Matt, who's on the security > team. > - Mike (:mcomella) > > On Sat, Jul 9, 2016 at 6:06 AM, Jordan Johnston <johnstonljor...@gmail.com > > wrote: > >> Hi, >> >> Recently, I watched a blackhat conference talk on youtube entitled >> "Bypassing Browser Security Policies For Fun And Profit", found here: >> >> https://www.youtube.com/watch?v=P5R4KeCzO-Q >> >> It would seem that many mobile browsers are susceptible to these types of >> attacks and I was curious how fennec (built from source a couple of days >> ago) stacked up and if it would be vulnerable to the Same Origin Policy >> bypass issues discussed in the talk. I went ahead and downloaded the >> SOP-Bypass-Mini-Test-Suite from github, found here: >> >> https://github.com/rafaybaloch/SOP-Bypass-Mini-Test-Suite >> >> Fennec did pass many tests, but there did seem to be a number of tests >> that it did fail. I'm definitely not the person to address these issues, >> but I thought I might point it out, as maybe someone within mozilla working >> on mobile, might be interested in having a look. >> >> anyway, I just thought I would point it out. >> >> Thanks and take care >> >> Jordan >> >> >> >> >> >> _______________________________________________ >> mobile-firefox-dev mailing list >> mobile-firefox-dev@mozilla.org >> https://mail.mozilla.org/listinfo/mobile-firefox-dev >> >> >
_______________________________________________ mobile-firefox-dev mailing list mobile-firefox-dev@mozilla.org https://mail.mozilla.org/listinfo/mobile-firefox-dev
