Forked from
The Tor Project / Applications / Mullvad Browser
Source project has a limited visibility.
-
Tom Ritter authoredBug 1830070: Correctly apply RFP Checks to about: documents and deal with pop-ups (ESR) r=smaug,emilio, a=dsmith This patch has three parts to it, in addition to the many tests it adds: 1) Use NS_IsContentAccessibleAboutURI to ensure that only safe about: documents get exempted. With this change, we will no longer allow about:blank or about:srcdoc to be exempted base on URI. If they are to be exempted, it will need to be base on other information. 2) In Document::RecomputeResistFingerprinting we previously deferred to a Parent Document if we had one, and either the principals matched or we were a null principal. We will do the same thing, except we will also defer to our opener as well as the parent document. Now about:blank documents can be exempted. However, this deferral only works if the opener is same-process. For cross-process openers, we make the decision ourselves. We can make the wrong decision though. CookieJarSettings is inherited through iframes but it is _not_ inherited through popups. (Yet. There's some discussion there, but it's not implemented.) Conceptually; however, we do want CJS to inherit, and we do want RFP to inherit as well. Because a popup can collude with its opener to bypass RFP and Storage restrictions, we should propagate the CJS information. This does lead to an unusual situation: if you have exempted b.com, and a.com (which is not exempted) creates a popup for b.com then that popup will not be exempted. But an open tab for b.com would be. And it might be hard to tell those two apart, or why they behave differently. The third part of the patch: 3) In LoadInfo we want to populate information down from the opener to the popup. This is needed because otherwise a cross-origin popup will not defer to its opener (because in Fission they're in different processes) and will decide if it should be exempted itself. It's the CookieJarSettings object that prevents the cross-origin document from thinking it should be exempted - CJS tells it 'No, you're a child (either a subdocument or a popup) and if I say you don't get an exemption, you don't.' Finally, there is one more caveat: we can only defer to a parent document or opener if it still exists. A popup may outlive its opener. If that happens, and something induces a call to RecomputeResistFingerprinting, then (e.g.) an about:blank popup may lose an RFP exemption that it had received from its parent. This isn't expected to happen in practice - RecomputeResistFingerprinting is only called on document creation and pref changes I believe. It is not possible for a popup to _gain_ an exemption though, because even if the parent document is gone, the CJS lives on and restricts it. Differential Revision: https://phabricator.services.mozilla.com/D183189
Tom Ritter authoredBug 1830070: Correctly apply RFP Checks to about: documents and deal with pop-ups (ESR) r=smaug,emilio, a=dsmith This patch has three parts to it, in addition to the many tests it adds: 1) Use NS_IsContentAccessibleAboutURI to ensure that only safe about: documents get exempted. With this change, we will no longer allow about:blank or about:srcdoc to be exempted base on URI. If they are to be exempted, it will need to be base on other information. 2) In Document::RecomputeResistFingerprinting we previously deferred to a Parent Document if we had one, and either the principals matched or we were a null principal. We will do the same thing, except we will also defer to our opener as well as the parent document. Now about:blank documents can be exempted. However, this deferral only works if the opener is same-process. For cross-process openers, we make the decision ourselves. We can make the wrong decision though. CookieJarSettings is inherited through iframes but it is _not_ inherited through popups. (Yet. There's some discussion there, but it's not implemented.) Conceptually; however, we do want CJS to inherit, and we do want RFP to inherit as well. Because a popup can collude with its opener to bypass RFP and Storage restrictions, we should propagate the CJS information. This does lead to an unusual situation: if you have exempted b.com, and a.com (which is not exempted) creates a popup for b.com then that popup will not be exempted. But an open tab for b.com would be. And it might be hard to tell those two apart, or why they behave differently. The third part of the patch: 3) In LoadInfo we want to populate information down from the opener to the popup. This is needed because otherwise a cross-origin popup will not defer to its opener (because in Fission they're in different processes) and will decide if it should be exempted itself. It's the CookieJarSettings object that prevents the cross-origin document from thinking it should be exempted - CJS tells it 'No, you're a child (either a subdocument or a popup) and if I say you don't get an exemption, you don't.' Finally, there is one more caveat: we can only defer to a parent document or opener if it still exists. A popup may outlive its opener. If that happens, and something induces a call to RecomputeResistFingerprinting, then (e.g.) an about:blank popup may lose an RFP exemption that it had received from its parent. This isn't expected to happen in practice - RecomputeResistFingerprinting is only called on document creation and pref changes I believe. It is not possible for a popup to _gain_ an exemption though, because even if the parent document is gone, the CJS lives on and restricts it. Differential Revision: https://phabricator.services.mozilla.com/D183189