(In reply to :Ehsan Akhgari from comment #30) > Hmm, do you mind laying out a set of steps which would allow the first > approach to be abused? The effective outcome of both patches (I think) > should be exactly the same, in that inside a moz-extension:// frame from the > extension in comment 0, any amazon content with any level of nesting will be > able to load successfully and set tracking cookies in the user's profile... So, essentially, I'm imagining something like this: Extension has host permissions ["*://*.amazon.com/", "*://*.facebook.com/"]. It loads Amazon.com into a frame. With your suggested approach of using the extension's privileges to determine what Amazon is allowed to load, a Facebook resource loaded into an Amazon product page would be allowed to load without tracking protection, and link the product page view to the user's Facebook identity. With my suggested approach of treating the Amazon frame as if it were the top-level document, the Facebook frame would load the same way as it would in an Amazon tab, as an isolated third-party resource, with at least some protection against linking the load to the user's identity.
Bug 1509112 Comment 38 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
(In reply to :Ehsan Akhgari from comment #30) > Hmm, do you mind laying out a set of steps which would allow the first > approach to be abused? The effective outcome of both patches (I think) > should be exactly the same, in that inside a moz-extension:// frame from the > extension in comment 0, any amazon content with any level of nesting will be > able to load successfully and set tracking cookies in the user's profile... So, essentially, I'm imagining something like this: Extension has host permissions `["*://*.amazon.com/", "*://*.facebook.com/"]`. It loads Amazon.com into a frame. With your suggested approach of using the extension's privileges to determine what Amazon is allowed to load, a Facebook resource loaded into an Amazon product page would be allowed to load without tracking protection, and link the product page view to the user's Facebook identity. With my suggested approach of treating the Amazon frame as if it were the top-level document, the Facebook frame would load the same way as it would in an Amazon tab, as an isolated third-party resource, with at least some protection against linking the load to the user's identity.