Thanks for the detailed report Alesandro and taking the time to investigate this! I agree with Gijs that navigation redirects to custom schemes are very likely so the conservative fix would be to ensure the dialog shows the correct origin. I suppose we could add telemetry to see how often it happens that a cross-origin navigation does such a redirect, but I'd still expect that to be common enough that we cannot break it. (If Chrome pursues this that would change our options.) I don't think that's ideal as dialogs showing different origins from the address bar is bad and from that perspective showing a blank page (or mostly opaque) overlay would be attractive, but I'm not sure how feasible that is. Probably not feasible for a short term fix. (Another dialog not mentioned above that is relevant here is downloads, but we use the final URL there as well.)
Bug 1705211 Comment 14 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
Thanks for the detailed report Alesandro and taking the time to investigate this! I agree with Gijs that navigation redirects to custom schemes are very likely so the conservative fix would be to ensure the dialog shows the correct origin. I suppose we could add telemetry to see how often it happens that a cross-origin navigation does such a redirect, but I'd still expect that to be common enough that we cannot break it. (If Chrome pursues this that would change our options. Mike West kindly added me to their issue and they don't have a plan yet. I'll relay if that changes and brief them on our thinking once we settle on something.) I don't think that's ideal as dialogs showing different origins from the address bar is bad and from that perspective showing a blank page (or mostly opaque) overlay would be attractive, but I'm not sure how feasible that is. Probably not feasible for a short term fix. (Another dialog not mentioned above that is relevant here is downloads, but we use the final URL there as well.)