Skip to content
Snippets Groups Projects
Select Git revision
20 results
Search by author
  • Any Author
  • Dan Ballard Dan Ballard dan
1 author
  1. Nov 21, 2023
  3. Sep 22, 2023
  5. Jul 10, 2023
    • Tom Ritter's avatar
      Bug 1830070: Correctly apply RFP Checks to about: documents and deal with... · 839b718a
      Tom Ritter authored 
      Bug 1830070: Correctly apply RFP Checks to about: documents and deal with pop-ups (ESR) r=smaug,emilio, a=dsmith


This patch has three parts to it, in addition to the many tests
it adds:

1) Use NS_IsContentAccessibleAboutURI to ensure that only safe
   about: documents get exempted.

   With this change, we will no longer allow about:blank or
   about:srcdoc to be exempted base on URI.  If they are to be
   exempted, it will need to be base on other information.

2) In Document::RecomputeResistFingerprinting we previously
   deferred to a Parent Document if we had one, and either the
   principals matched or we were a null principal.

   We will do the same thing, except we will also defer to our
   opener as well as the parent document.  Now about:blank
   documents can be exempted.

   However, this deferral only works if the opener is
   same-process. For cross-process openers, we make the decision
   ourselves.

We can make the wrong decision though. CookieJarSettings is
inherited through iframes but it is _not_ inherited through popups.
(Yet. There's some discussion there, but it's not implemented.)

Conceptually; however, we do want CJS to inherit, and we do want
RFP to inherit as well.  Because a popup can collude with its
opener to bypass RFP and Storage restrictions, we should propagate
the CJS information.

This does lead to an unusual situation: if you have exempted
b.com, and a.com (which is not exempted) creates a popup for b.com
then that popup will not be exempted.  But an open tab for b.com
would be.  And it might be hard to tell those two apart, or why
they behave differently.

The third part of the patch:

3) In LoadInfo we want to populate information down from the
   opener to the popup.  This is needed because otherwise a
   cross-origin popup will not defer to its opener (because in
   Fission they're in different processes) and will decide if
   it should be exempted itself. It's the CookieJarSettings
   object that prevents the cross-origin document from thinking
   it should be exempted - CJS tells it 'No, you're a child
   (either a subdocument or a popup) and if I say you don't get
   an exemption, you don't.'


Finally, there is one more caveat: we can only defer to a parent
document or opener if it still exists.  A popup may outlive its
opener. If that happens, and something induces a call to
RecomputeResistFingerprinting, then (e.g.) an about:blank popup
may lose an RFP exemption that it had received from its parent.
This isn't expected to happen in practice -
RecomputeResistFingerprinting is only called on document creation
and pref changes I believe.

It is not possible for a popup to _gain_ an exemption though,
because even if the parent document is gone, the CJS lives on and
restricts it.

Differential Revision: https://phabricator.services.mozilla.com/D183189
      839b718a
  7. May 31, 2023
  9. May 20, 2023
  11. May 15, 2023
  13. May 03, 2023
  15. Mar 30, 2023
  17. Mar 24, 2023
  19. Mar 21, 2023
  21. Mar 13, 2023
  23. Feb 27, 2023
  25. Feb 14, 2023
  27. Feb 08, 2023
  29. Feb 07, 2023
  31. Feb 01, 2023
  33. Jan 07, 2023
  35. Dec 28, 2022
  37. Dec 13, 2022
  39. Dec 12, 2022
  41. Dec 02, 2022