Closed
Bug 1111787
Opened 10 years ago
Closed 10 years ago
"Forget This Site" command should clear EME salt values associated with the forgotten origin
Categories
(Core :: Audio/Video, defect)
Core
Audio/Video
Tracking
()
RESOLVED
FIXED
mozilla37
People
(Reporter: cpeterson, Assigned: jwwang)
References
(Blocks 2 open bugs)
Details
Attachments
(3 files, 5 obsolete files)
5.34 KB,
patch
|
cpearce
:
review+
|
Details | Diff | Splinter Review |
6.82 KB,
patch
|
jwwang
:
review+
|
Details | Diff | Splinter Review |
13.83 KB,
patch
|
jwwang
:
review+
|
Details | Diff | Splinter Review |
We should clear a salt if the user wants to forget about either of the origins in the origin pair associated with a salt.
Comment 1•10 years ago
|
||
We should clear storage associated with the salt too, since it can't be accessed anymore.
Comment 2•10 years ago
|
||
Start here: http://mxr.mozilla.org/mozilla-central/source/toolkit/forgetaboutsite/ForgetAboutSite.jsm#46
Reporter | ||
Comment 3•10 years ago
|
||
See also: W3 EME Bug 27166 - All identifiers associated with a user should be clearable in the same way cookies are https://www.w3.org/Bugs/Public/show_bug.cgi?id=27166
Comment 4•10 years ago
|
||
JW: Can you take this bug? I think you could do this by adding code to ForgetAboutSite.jsm to get the mozIGeckoMediaPluginService, and call a function on it (which you'll have to add and implement) that clears all storage and nodeIds for a given origin.
Flags: needinfo?(jwwang)
Assignee | ||
Comment 6•10 years ago
|
||
So all I need to do is delete these folders: 1. $profileDir/gmp/id/$hash/ where $hash is generated by the origin pair 2. $profileDir/gmp/storage/$nodeId/ where $nodeId is the salt generated for the origin pair right?
Comment 7•10 years ago
|
||
Yes. You'll need to enumerate over $profileDir/gmp/id/* to check whether $profileDir/gmp/id/*/origin or $profileDir/gmp/id/*/topLevelOrigin match the origin being forgotten.
Assignee | ||
Comment 8•10 years ago
|
||
Patch part 1: delete the direcotry for the origin pair when "forget this site" is invoked. More to come in next patch.
Attachment #8539040 -
Flags: review?(cpearce)
Comment 9•10 years ago
|
||
Comment on attachment 8539040 [details] [diff] [review] 1111787_part1_forget_this_site-v1.patch Review of attachment 8539040 [details] [diff] [review]: ----------------------------------------------------------------- ::: dom/media/gmp/GMPService.cpp @@ +933,5 @@ > static nsresult > ReadFromFile(nsIFile* aPath, > const nsCString& aFileName, > nsCString& aOutData, > + int32_t aMaxLength = INT_MAX) I don't think you should allow reading up to INT_MAX characters at once. If there happens to be a bad file being read, we could run out of memory. i.e. don't specify "= INT_MAX" default value here. @@ +1145,5 @@ > +MatchOrigin(nsIFile* aPath, const nsACString& aMatch) > +{ > + nsresult rv; > + nsCString str; > + rv = ReadFromFile(aPath, NS_LITERAL_CSTRING("origin"), str); The max length for a valid textual representation of a domain name is 253 characters: http://en.wikipedia.org/wiki/Domain_Name_System#Domain_name_syntax I suggest you pass 253 here instead of implicitly passing INT_MAX. @@ +1187,5 @@ > + > + // $profileDir/gmp/id/$hash > + nsCOMPtr<nsIFile> dirEntry(do_QueryInterface(supports, &rv)); > + ERR_CONT(rv); > + You probably should `continue` here if !dirEntry->IsDirectory(). ::: dom/media/gmp/mozIGeckoMediaPluginService.idl @@ +98,5 @@ > > /** > + * Clears storage data associated with the origin. > + */ > + void forgetThisSite(in AString origin); This changes the vtable on the mozIGeckoMediaPluginService interface. You need to run `./mach update-uuids mozIGeckoMediaPluginService` to ensure that the IID of the interface changes, else extensions and/or other code that was compiled under the old interface layout/ABI won't be foreced to recompile and will break in non-obvious ways.
Attachment #8539040 -
Flags: review?(cpearce) → review+
Assignee | ||
Comment 10•10 years ago
|
||
Thanks for the review. Address comments in comment 9.
Attachment #8539040 -
Attachment is obsolete: true
Attachment #8539966 -
Flags: review+
Assignee | ||
Comment 11•10 years ago
|
||
Part 2 - add ability to check whether GMPParent is accessing storage of a particular node ID. This feature is needed by patch part 3 which needs to delete some of GMPParents which are accessing storage data for a particular node IDs.
Attachment #8540500 -
Flags: review?(cpearce)
Assignee | ||
Comment 12•10 years ago
|
||
Part 3 - Clear plugis and storage data associated with the node IDs.
Attachment #8540501 -
Flags: review?(cpearce)
Comment 13•10 years ago
|
||
Comment on attachment 8540500 [details] [diff] [review] 1111787_part2_add_IsAccessingStorageForNodeId_to_GMPParent-v1.patch Review of attachment 8540500 [details] [diff] [review]: ----------------------------------------------------------------- I don't think we should only kill plugins that happen to have a record open at the time that we are running the "forget about this site" algorithm. The GMPs are probably unlikely to keep their records open; I'd expect them to open, read or write, then close. So we'd be likely to miss detecting GMPs that have accessed storage this way. The reason why the code that you're changing here recorded whether a GMP had ever accessed storage was because I was worried that a GMP could write data to disk after we've cleared its storage that is dependent on state the GMP holds in memory, so the GMP's storage on disk count end up in an inconsistent, as far as it sees it anyway. Also, if you clear the nodeId mapping (which you do in patch 1), but don't clear the stored records (which you do in patch 3), the stored records aren't accessible if a GMP for the same origins are re-created, as they'll have a different nodeId/salt. So it doesn't make sense to clear the nodeId/salt but not clear the records themselves, as the records themselves will then effectively "leak". So, I think we should be more aggressive. We should just kill all GMPs that match the nodeId, regardless of whether or not they have accessed storage or have records open. We should be able to rely on the existing shutdown code to ensure that no I/O can succeed while we're shutting down a GMP. That means we can remove the HasAccessedStorage() logic. So, please do the following: * Remove the HasAccessedStorage() logic. * Shutdown all plugins have nodeIds for the origin being cleared.
Attachment #8540500 -
Flags: review?(cpearce) → review-
Comment 14•10 years ago
|
||
Comment on attachment 8540501 [details] [diff] [review] 1111787_part3_clear_plugins_storage-v1.patch Review of attachment 8540501 [details] [diff] [review]: ----------------------------------------------------------------- Just kill all plugins that match the nodeIds. ::: dom/media/gmp/GMPService.cpp @@ +1276,5 @@ > } > > + // Kill all plugins associated with the node IDs. > + KillPluginsForStorage(nodeIDsToClear); > + We also need to remove the NodeId from the mPersistentStorageAllowed hash table.
Attachment #8540501 -
Flags: review?(cpearce) → review-
Assignee | ||
Comment 15•10 years ago
|
||
(In reply to Chris Pearce (:cpearce) (PTO until 5 Jan) from comment #13) > I don't think we should only kill plugins that happen to have a record open > at the time that we are running the "forget about this site" algorithm. The > GMPs are probably unlikely to keep their records open; I'd expect them to > open, read or write, then close. So we'd be likely to miss detecting GMPs > that have accessed storage this way. We want to delete GMPs that are accessing storage data to prevent inconsistency. We don't want GMPStorageParents stay alive while their underlying data is wiped out. ($profileDir/gmp/storage/$nodeId/ is deleted in patch 3) If a GMP opens, reads/writes and then closes before "Forget this site", we don't have the problem of inconsistency. All the storage data in $profileDir/gmp/storage/$nodeId/ is still cleared. I think that should be fine. However, come to think about it again, I find GMPParent::mNodeId is still kept in the memory after "Forget this site". If we create a GMPStorageParent with that node ID later, we will create inconsistency since the node ID shouldn't be used anymore. So, yes, you are right. We should delete GMPs that match the nodeId no matter they accessed the storage or not since mNodeId shouldn't be used anymore.
Assignee | ||
Comment 16•10 years ago
|
||
Btw, in GeckoMediaPluginService::ClearStorage(), we should delete all GMPParents which return false for CanBeSharedCrossNodeIds(), right? A GMPParent without node ID will not access storage data. It is fine not kill it.
Assignee | ||
Comment 17•10 years ago
|
||
1. Remove the HasAccessedStorage() logic. 2. Kill any plugin that has a valid nodeId when ClearStorage() is invoked.
Attachment #8540500 -
Attachment is obsolete: true
Attachment #8540501 -
Attachment is obsolete: true
Attachment #8542003 -
Flags: review?(cpearce)
Updated•10 years ago
|
Attachment #8542003 -
Flags: review?(cpearce) → review+
Assignee | ||
Comment 18•10 years ago
|
||
Clear plugis and storage data associated with the node IDs.
Attachment #8542385 -
Flags: review?(cpearce)
Comment 19•10 years ago
|
||
Comment on attachment 8542385 [details] [diff] [review] 1111787_part3_clear_plugins_storage-v2.patch Review of attachment 8542385 [details] [diff] [review]: ----------------------------------------------------------------- ::: dom/media/gmp/GMPService.cpp @@ +1163,5 @@ > +template<typename T> static void > +KillPlugins(const nsTArray<nsRefPtr<GMPParent>>& aPlugins, > + Mutex& aMutex, T&& aFilter) > +{ > + // Shutdown all plugins that have matching node IDs as those IDs will become The comment mentions matching nodeIds, but reality is that this function kills plugins that pass the filter function; the comment is inaccurate.
Attachment #8542385 -
Flags: review?(cpearce) → review+
Assignee | ||
Comment 20•10 years ago
|
||
Adress nits.
Attachment #8542385 -
Attachment is obsolete: true
Attachment #8542448 -
Flags: review+
Assignee | ||
Comment 22•10 years ago
|
||
Yes. I will open another bug for the test case. Try: https://treeherder.mozilla.org/#/jobs?repo=try&revision=033cc285fcb0
Flags: needinfo?(jwwang)
Keywords: checkin-needed
Comment 23•10 years ago
|
||
Hi Jw, this patch failed to apply (tried to land part1) and got: Which patches do you want to import? [Default is '1', use '1-3' for all] 1 adding 1111787 to series file renamed 1111787 -> 1111787_part1_forget_this_site-v2.patch applying 1111787_part1_forget_this_site-v2.patch patching file toolkit/forgetaboutsite/ForgetAboutSite.jsm Hunk #1 FAILED at 75 1 out of 1 hunks FAILED -- saving rejects to file toolkit/forgetaboutsite/ForgetAboutSite.jsm.rej could you take a look, thanks!
Flags: needinfo?(jwwang)
Keywords: checkin-needed
Assignee | ||
Comment 24•10 years ago
|
||
rebase part1. Please try again. Thanks.
Attachment #8539966 -
Attachment is obsolete: true
Flags: needinfo?(jwwang)
Attachment #8544329 -
Flags: review+
Assignee | ||
Updated•10 years ago
|
Keywords: checkin-needed
Comment 25•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/7ff735f32aac https://hg.mozilla.org/integration/mozilla-inbound/rev/20298762b610 https://hg.mozilla.org/integration/mozilla-inbound/rev/f3c7e9a00af8
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/7ff735f32aac https://hg.mozilla.org/mozilla-central/rev/20298762b610 https://hg.mozilla.org/mozilla-central/rev/f3c7e9a00af8
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla37
Comment 27•9 years ago
|
||
Mass update firefox-status to track EME uplift.
You need to log in
before you can comment on or make changes to this bug.
Description
•