Closed Bug 1085214 Opened 11 years ago Closed 3 months ago

Implement Location.ancestorOrigins

Categories

(Core :: DOM: Window and Location, enhancement, P3)

Product:
Core
Component:
DOM: Window and Location
Type:
enhancement
Points:
2

Tracking

()

Status:
RESOLVED FIXED
Milestone:
148 Branch
Project Flags:
Webcompat Priority P3
Tracking Flags:
Tracking Status
relnote-firefox --- 148+
firefox148 --- fixed

People

(Reporter: erik, Assigned: sfarre)

References

(Blocks 1 open bug,
URL
)

Details

(4 keywords, Whiteboard: [domcore-bugbash-triaged][platform-feature], [wptsync upstream])

User Story

user-impact-score:200
platform-scheduled:2025-12-31

Attachments

(2 files, 2 obsolete files)

Bug 1085214 - Implement location.ancestorOrigins r=smaug!
48 bytes, text/x-phabricator-request
Details | Review
CleanShot 2025-12-19 at 07.57.47.png
606.47 KB, image/png
Details
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:33.0) Gecko/20100101 Firefox/33.0 Build ID: 20141011015303 Steps to reproduce: This is a request to implement location.ancestorOrigins like in webkit: https://bugs.webkit.org/show_bug.cgi?id=83493 The number of changes required in webkit were quite small; https://bug-83493-attachments.webkit.org/attachment.cgi?id=136361 This feature is very useful to check which parent domains you are running in and acting on this information. Expected results: location.ancestorOrigins should contain a read-only array of hostnames for all the parent frames.
There's no specification for this yet. It's being tracked at https://www.w3.org/Bugs/Public/show_bug.cgi?id=22699.
This is pretty easy to implement if we want to. The question is whether we want to. It leaks cross-site information that we may not really want to leak.
Yes, I think we should do this. It seems more important, from a security point of view, to me to enable content to ensure that they are only embedded by those that it expects to be embedded by, than it is to enable content to embed others "anonymously". But of course this requires a security review.
Flags: sec-review?
Flags: sec-review? → sec-review?(dveditz)
Pages can already "ensure it's only embedded by those it expects" using CSP or postMessage. Adding an API with confusing privacy implementations doesn't seem necessary to me. I might be okay with this if it were opt-in for each ancestor.
Such an API could alert a website if they are being iframed by a site they do not expect to be iframed by. Perhaps they haven't implemented CSP and don't have whitelist of frame-ancestors they should include in the header. location.ancestorOrigins could help them compile that. I feel like I'm missing the privacy concern with doing this. I see that we are leaking information about what websites frame content, but we aren't leaking information about the user. Needinfo'ing Dan because I'm not sure he's looking at the sec-review queue.
Flags: needinfo?(dveditz)
What is possible with ancestorOrigins is not possible with CSP or postMessage. Also there is nothing confusing about it, it just gives you the domain of every parent all the way up to the origin. It's only the hostname so I don't see how this leaks any privacy related information. If someone could give me some hints at where to look I could take a shot at implementing this.
There is quite a difference between "Only allow framing from x,y,z" (CSP) and "tell me where else this user goes" (this). There is no other case where we allow a web page to read non-same-origin location data. What can you do with ancestorOrigins that you can't do with CSP's whitelist approach other than blacklist specific parents? You know how security guys feel about blacklists vs whitelists. Do you have any example pages that show this feature being used to good effect? Presumably you have examples if you think we need it. According to the webkit bug one use is to work around other non-standard webkit behavior (bug) that wouldn't be an issue in Firefox. Making more information of this type available is going in the opposite direction of where we're heading with features to control the sending of referrers. Not quite the same, but does make me wonder if we'll then end up having to implement ancestorOrigin-stripping features. There are already people asking about it: http://stackoverflow.com/questions/26046030/change-window-location-ancestororigins This feature's use is unfortunately not measured (or at least not published) by Chrome: https://www.chromestatus.com/metrics/feature/popularity
Flags: needinfo?(dveditz)
Dan: our use case is as follows. We offer some embeddable content that for some reasons we don't want embedded in specific websites (domains with a specific category, so a blacklist). We used to use referrers for this. But people found out that if they use an allowed domain in between (so iframe in iframe) they could get around this referrer check. CSP is no use for is in this case. The only way we could detect the real domain our content is embedded in is ancestorOrigin. I'm guessing the stackoverflow question you linked is someone trying to get around this protection.
Do we actually want location.ancestorOrigins to be DOMStringList?
The Link.cpp changes and URL.cpp changes are definitely not needed. The attribute should be placed on Location, not on URLUtils. Also, what's with the nsGlobalWindow.cpp changes? You shouldn't change nsIDOMLocation at all. As for the return value... what does Chrome actually do here? We should either copy that or use a [Cached] sequence<DOMString>.
Won't compile without Link.cpp / URL.cpp support. All other attributes are placed in URLUtils, not Location. nsGlobalWindow.cpp changes to be ignored, will be removed. 0:13.73 ./URLBinding.cpp:317:9: error: no member named 'GetAncestorOrigins' in 'mozilla::dom::URL' URLBinding seems to be auto-generated. Difficult to look through it all. WebIDL, *Binding, ... Chrome is using DOMStringList, but nobody seems to like it.
Patch works, tho.
> Won't compile without Link.cpp / URL.cpp support. It will if you don't mess with URLUtils. > All other attributes are placed in URLUtils, not Location. You mean except the methods on Location? In any case, you should look at the specs: https://url.spec.whatwg.org/#api and https://html.spec.whatwg.org/multipage/browsers.html#the-location-interface -- which one is the attribute on? ;) > URLBinding seems to be auto-generated. Yes, from the webidl. Again, don't change URLUtils.
zulla, great work. Is there any reason why you didn't implement it like a DOMStringList or at least some kind of array with all the parents like it is implemented in webkit?
Any update on this?
(In reply to Erik Dubbelboer from comment #8) > Dan: our use case is as follows. We offer some embeddable content that for > some reasons we don't want embedded in specific websites (domains with a > specific category, so a blacklist). We used to use referrers for this. But > people found out that if they use an allowed domain in between (so iframe in > iframe) they could get around this referrer check. Well, ancestorOrigins wouldn't protect from using window.open(). Some 'bad origin' window.opens 'good origin' which embeds the iframe. 'bad origin' communicates with 'good origin' the same way as in iframe case (postMessage).
(In reply to Olli Pettay [:smaug] from comment #19) > Well, ancestorOrigins wouldn't protect from using window.open(). > Some 'bad origin' window.opens 'good origin' which embeds the iframe. > 'bad origin' communicates with 'good origin' the same way as in iframe case > (postMessage). This wouldn't really be embedding by the 'bad origin' then, it would be a whole new window from the `good origin` so that's fine by us.
The unfortunate state of the world today is that there's no one cross-browser solution if you want to prevent iframing of your content selectively. CSP frame-ancestors is implemented by Chrome and Firefox. XFO ALLOW-FROM is implemented by Edge and Firefox. ancestorOrigins is implemented by Safari and Chrome. While I'd love to see Safari and Edge support frame-ancestors, it would be very useful for Firefox to also support ancestorOrigins. I think the argument that lack of it hasn't stopped any websites from operating can be turned around just as effectively - that it's longstanding presence in Webkit based browsers hasn't led to any privacy disasters, either.
Is there any update on this since it's now in https://html.spec.whatwg.org/multipage/browsers.html#dom-location-ancestororigins ?
The spec as written constitutes an unnacceptable privacy leak and we have communicated this clearly and repeatedly to the spec editors. We're not going to implement it in its current form, just like we would not implement a spec that required web sites to be able to read all of a user's locally stored data. There is a spec issue tracking changing the spec to be acceptable at https://github.com/whatwg/html/issues/1918 and we will implement the resulting spec once that issue is resolved.
Depends on: 1400501
Flags: sec-review?(dveditz)

FWIW, https://github.com/whatwg/html/pull/2480 has a proposal for a revised specification and https://github.com/web-platform-tests/wpt/pull/5402 has tests. (They are about a year old, might need rebasing. Happy to help if we prioritize this.)

Status: UNCONFIRMED → NEW
Component: DOM: Navigation → DOM: Window and Location
Ever confirmed: true
Type: defect → enhancement

Anne, do we want to implement this?

kmag says this should be easy to implement because we have WebExtension code that implements something similar.

Severity: normal → --
Flags: needinfo?(annevk)
OS: macOS → All
Hardware: x86 → All

We discussed this feature in the privacy team as it came up at https://github.com/privacycg/storage-partitioning/issues/14 as well. bz's concern about passive trackers is very much alive so we would have to mitigate that if we were to expose this. In particular, if there's no passive way (referrer) for an embedded site to know its parent, this should not reveal the parent to an embedded site.

If we apply that strictly, this would tell you at most about your parent and the only information you would get about further ancestors is how many there are.

This is even further complicated when an embedded site is navigated as the site being navigated to would never know about its parent (other than that one exists).

I'm not sure if that meets the use cases you envision for this feature.

(The HTML Standard PR doesn't account for some of these considerations and would have to be redone, if we were to pursue this further.)

Flags: needinfo?(annevk)

From the webcompat side of things, PG Slots is (accidentally?) treating location.ancestorOrigins as though it exists, but may be zero-length. This seems to just be a coding oversight, as they have fallback code which is just not correctly being falled-back-upon. Thankfully this seems to be a one-off case rather than an obviously-shared code snippet circulating online.

See Also: → https://webcompat.com/issues/63419
Severity: -- → S3
Priority: -- → P3
Webcompat Priority: --- → ?

WebCompat P3, but we'll bump it higher if we see more critical breakage in the wild.

Webcompat Priority: ? → P3

Really interested in having this feature in Firefox too. Looking forward to it!
I hope P3 means soon : )

Depends on: 1892803
Blocks: 1892803
No longer blocks: 1835377
No longer depends on: 1892803
Keywords: webcompat:platform-bug
Points: --- → 2

While the standards position is still open, there aren't blocking spec issues. Removing the keyword spec-needed.

I have a work-in-progress patch for this which I will attach to the bug after I've had a moment to rebase it.

I think we'll want to consider whether to really expose all origins. Brave is also considering that: https://github.com/brave/brave-browser/issues/33671

In our triage meeting today I missed Comment 23, which indicates that https://github.com/whatwg/html/issues/1918 is a blocker (and there's a PR at https://github.com/whatwg/html/pull/2480 but it looks like it stalled in 2017 or 2018). (I was going to add back the spec-needed keyword but it was still set.)

See Also: → https://github.com/whatwg/html/issues/1918
Whiteboard: [domcore-bugbash-triaged]

(In reply to Simon Pieters [:zcorpan] from comment #32)

In our triage meeting today I missed Comment 23, which indicates that https://github.com/whatwg/html/issues/1918 is a blocker (and there's a PR at https://github.com/whatwg/html/pull/2480 but it looks like it stalled in 2017 or 2018). (I was going to add back the spec-needed keyword but it was still set.)

Adding webcompat:blocked according to comment 32.

Keywords: webcompat:blocked

I found this by looking over an issue with Windows Admin Center (ref: https://github.com/MicrosoftDocs/Windows-Admin-Center-Ideas-and-Feedback/issues/290) where people have discovered that, in that particular case, it can be worked around by either returning an empty array, or by returning the window.location.origin, to the code that tries to utilise the ancestorOrigin object.

Could we potentially, until the situation with the spec and privacy concerns is resolved, use one of these within Firefox to prevent issues where third-party code tries to use the object but has no fallbacks like the Windows Admin Center?

References for people's attempts to hack the Windows Admin Center's code on each WAC installation showing how we might be able to get some third-party apps and sites running again if we did something similar within Firefox directly:

Returning an empty array could work only for top-level frames as an empty window.location.ancestorOrigins could be used as clue no valid ancestor frames are present for subframes.

Returning an array with one or more window.location.origin would only work if the whole frame subtree is same-origin. Otherwise false information would be given to frames.

In all other scenarios it seems best to keep window.location.ancestorOrigins undefined until an implementation is ready and supported.

I've got a working example at https://github.com/theIDinside/firefox/tree/location-ancestor-origins-list - and I intend to also add the newer version of the spec that's being worked on by :zcorpan, today. Is it ok if nick this bug?

(In reply to Simon Farre [:sfarre] from comment #38)

I've got a working example at https://github.com/theIDinside/firefox/tree/location-ancestor-origins-list - and I intend to also add the newer version of the spec that's being worked on by :zcorpan, today. Is it ok if nick this bug?

Thank you, Simon, for your interest in helping with this. It sounds good to me. :) However, I think it would be worth needinfo-ing Tom, given that he mentioned he had WIPs in comment 31.

Flags: needinfo?(twisniewski)

Sure, feel free to grab this bug, Simon. Thanks!

Flags: needinfo?(twisniewski)

Thank you :hsinyi! And cool :twisniewski!

I have new tests written for the spec in it's current form (found at https://github.com/whatwg/html/pull/11560, which might be subject to minor changes). I do wonder who would/should be the reviewer for the patch?

Flags: needinfo?(htsai)

(In reply to Simon Farre [:sfarre] from comment #41)

Thank you :hsinyi! And cool :twisniewski!

I have new tests written for the spec in it's current form (found at https://github.com/whatwg/html/pull/11560, which might be subject to minor changes). I do wonder who would/should be the reviewer for the patch?

If it's new web platform tests, I believe :zcorpan can help.

Flags: needinfo?(htsai)
User Story: (updated)
User Story: (updated)
Assignee: nobody → sfarre
Whiteboard: [domcore-bugbash-triaged] → [domcore-bugbash-triaged][platform-feature]

This implements this attribute on Location and also adheres to the
changes to the spec introduced in
https://github.com/whatwg/html/pull/11560

Tentative tests are also added in this patch.

User Story: (updated)
Keywords: spec-needed, webcompat:blocked
Attachment #9528021 - Attachment description: Bug 1085214 - Implement location.ancestorOrigins r=zcorpan → Bug 1085214 - Implement location.ancestorOrigins r=smaug!
Pushed by sfarre@mozilla.com: https://github.com/mozilla-firefox/firefox/commit/d93f1bc4f1f1 https://hg.mozilla.org/integration/autoland/rev/da5634c079f9 Implement location.ancestorOrigins r=necko-reviewers,webidl,dom-core,smaug,jesup,zcorpan
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/56685 for changes under testing/web-platform/tests
Whiteboard: [domcore-bugbash-triaged][platform-feature] → [domcore-bugbash-triaged][platform-feature], [wptsync upstream]
Pushed by abutkovits@mozilla.com: https://github.com/mozilla-firefox/firefox/commit/cfb40063a45a https://hg.mozilla.org/integration/autoland/rev/4d1d053e8f79 Revert "Bug 1085214 - Implement location.ancestorOrigins r=necko-reviewers,webidl,dom-core,smaug,jesup,zcorpan" for causing failures at location-ancestor-origins.sub.html.

Added ini file to wpt test to enable pref so that the test run with the feature turned on & requested landing for that.

Flags: needinfo?(sfarre)
Pushed by sfarre@mozilla.com: https://github.com/mozilla-firefox/firefox/commit/ec3055a6d507 https://hg.mozilla.org/integration/autoland/rev/38f118c02141 Implement location.ancestorOrigins r=necko-reviewers,webidl,dom-core,smaug,jesup,zcorpan
Pushed by amarc@mozilla.com: https://github.com/mozilla-firefox/firefox/commit/d8eb790ee4bb https://hg.mozilla.org/integration/autoland/rev/18b3759cd423 Revert "Bug 1085214 - Implement location.ancestorOrigins r=necko-reviewers,webidl,dom-core,smaug,jesup,zcorpan" for causing wpt failures @ location-ancestor-origins.sub.html

Backed out for causing wpt failures

Flags: needinfo?(sfarre)
Upstream PR merged by moz-wptsync-bot

I've identified & addressed the issue causing the backout. Submitted new try runs for that and will request new landing if all green.

Flags: needinfo?(sfarre)

Latest try run pushed here: https://treeherder.mozilla.org/jobs?repo=try&landoCommitID=169300 - will land when green.

After discussion on matrix, we will enable this in nightly by default.

Pushed by sfarre@mozilla.com: https://github.com/mozilla-firefox/firefox/commit/7f88f484011c https://hg.mozilla.org/integration/autoland/rev/626bfdb90f3e Implement location.ancestorOrigins r=necko-reviewers,webidl,dom-core,smaug,jesup,zcorpan
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/56805 for changes under testing/web-platform/tests

https://hg.mozilla.org/mozilla-central/rev/626bfdb90f3e

Status: NEW → RESOLVED
Closed: 3 months ago
status-firefox148: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 148 Branch
Upstream PR merged by moz-wptsync-bot

:sfarre, could you consider nominating this for a release note? (Process info)

Flags: needinfo?(sfarre)
Pushed by agoloman@mozilla.com: https://github.com/mozilla-firefox/firefox/commit/accc77502ee5 https://hg.mozilla.org/integration/autoland/rev/79fc433e7198 Revert "Bug 1085214 - Implement location.ancestorOrigins r=necko-reviewers,webidl,dom-core,smaug,jesup,zcorpan" for causing dt failures @browser_dbg-expressions-error.js.

Backed out for causing dt failures @browser_dbg-expressions-error.js. It was hidded by Bug 2006557 until now.

Status: RESOLVED → REOPENED
status-firefox148: fixed → ---
Resolution: FIXED → ---
Target Milestone: 148 Branch → ---
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/56863 for changes under testing/web-platform/tests
Attachment #8616929 - Attachment is obsolete: true
Attachment #8623817 - Attachment is obsolete: true

(In reply to agoloman from comment #62)

Backed out for causing dt failures @browser_dbg-expressions-error.js. It was hidded by Bug 2006557 until now.

Trying to find where it uses location.ancestorOrigins. Is it expecting a result that we now provide differently or what?

Flags: needinfo?(sfarre)

At first review this does not seem to be an error on this patch behalf, but on the test itself, what is the path forward in such a scenario?

Ancestor origins is not used by the failing test: https://searchfox.org/firefox-main/source/devtools/client/debugger/test/mochitest/browser_dbg-expressions-error.js#22

I will look into it further but its surprising if location.ancestorOrigins is the problem and not the test itself.

Flags: needinfo?(agoloman)

Yeah it's difficult to tell what the test actually is testing because it's just magic numbers and no explanation.

I will need-info the people who has worked on it. :nchevobbe you seem to have touched the test, can you explain what's going on? Is this just a matter of bumping the expected number from 37 to 39?

Flags: needinfo?(nchevobbe)

The addExpression stuff uses the location object and most likely gathers own properties for autocomplete or display in the debugger. So it is fairly likely that it changed the expectation of that test fwiw.

(In reply to Emilio Cobos Álvarez [:emilio] from comment #68)

The addExpression stuff uses the location object and most likely gathers own properties for autocomplete or display in the debugger. So it is fairly likely that it changed the expectation of that test fwiw.

Seems likely, right. One for the property of the DOM string list, and one for the getter, would account for the difference of 2. Thanks!

(In reply to Simon Farre [:sfarre] from comment #67)

Yeah it's difficult to tell what the test actually is testing because it's just magic numbers and no explanation.

I will need-info the people who has worked on it. :nchevobbe you seem to have touched the test, can you explain what's going on? Is this just a matter of bumping the expected number from 37 to 39?

The test adds a location watch expression in the debugger and expands it so we have all its properties displayed.
You patch adds ancestorOrigins and we also show the getter node (see screenshot). So yes, we have 2 additional properties now, and we should bump the number from 37 to 39
The same goes for the two failing assertions in devtools/client/debugger/test/mochitest/browser_dbg-expressions.js

Flags: needinfo?(nchevobbe)

The test adds a location watch expression in the debugger and expands it so we have all its properties displayed.
You patch adds ancestorOrigins and we also show the getter node (see screenshot). So yes, we have 2 additional properties now, and we should bump the number from 37 to 39
The same goes for the two failing assertions in devtools/client/debugger/test/mochitest/browser_dbg-expressions.js

Thanks a bunch!

Addressed failing tests & latest/last update to spec.
Try run: https://treeherder.mozilla.org/jobs?repo=try&landoCommitID=170036

Upstream PR merged by moz-wptsync-bot
Flags: needinfo?(agoloman)
Pushed by sfarre@mozilla.com: https://github.com/mozilla-firefox/firefox/commit/b4ac69ad6835 https://hg.mozilla.org/integration/autoland/rev/f3415e167026 Implement location.ancestorOrigins r=necko-reviewers,webidl,dom-core,smaug,jesup,zcorpan,devtools-reviewers,nchevobbe
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/56966 for changes under testing/web-platform/tests

https://hg.mozilla.org/mozilla-central/rev/f3415e167026

Status: REOPENED → RESOLVED
Closed: 3 months ago3 months ago
status-firefox148: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 148 Branch
Upstream PR merged by moz-wptsync-bot

:sfarre, could you consider nominating this for a release note? (Process info)

Flags: needinfo?(sfarre)

Why is this notable:

Adds support for location.ancestorOrigins attribute, with support for the redacted ancestor origins spec that's being finalized.

Affects Firefox for Android:

Support of the attribute is intended for all platforms.

Links:

The current work in progress implementation of the spec that :zcorpan is working on can be found here.

Previous spec iteration of Location.ancestorOrigins is described here

relnote-firefox: --- → ?
Flags: needinfo?(sfarre)

Thanks, added to the Fx148 nightly release notes, please allow 30 minutes for the site to update.
Keeping the relnote-firefox flag as ? to keep it on the radar for inclusion in the final Fx148 release notes.

QA Whiteboard: [qa-triage-done-c149/b148]

The feature is already documented on MDN; I've added a rel note in https://github.com/mdn/content/pull/42826. I think we can therefore consider this one complete in terms of MDN docs requirements.

Keywords: dev-doc-neededdev-doc-complete

Added to the final Fx148 release notes

relnote-firefox: ?148+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: