Closed Bug 1111787 Opened 10 years ago Closed 10 years ago

"Forget This Site" command should clear EME salt values associated with the forgotten origin

Categories

(Core :: Audio/Video, defect)

Product:
Core
Component:
Audio/Video
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla37
Tracking Flags:
Tracking Status
firefox37 --- fixed
firefox38 --- fixed
firefox39 --- fixed

People

(Reporter: cpeterson, Assigned: jwwang)

References

(Blocks 2 open bugs)

Details

Attachments

(3 files, 5 obsolete files)

1111787_part2_kill_plugins_with_valid_nodeIDs-v2.patch
5.34 KB, patch
cpearce
: review+
Details | Diff | Splinter Review
1111787_part3_clear_plugins_storage-v3.patch
6.82 KB, patch
jwwang
: review+
Details | Diff | Splinter Review
1111787_part1_forget_this_site-v3.patch
13.83 KB, patch
jwwang
: review+
Details | Diff | Splinter Review 
We should clear a salt if the user wants to forget about either of the origins in the origin pair associated with a salt.
We should clear storage associated with the salt too, since it can't be accessed anymore.
See also:

W3 EME Bug 27166 - All identifiers associated with a user should be clearable in the same way cookies are

https://www.w3.org/Bugs/Public/show_bug.cgi?id=27166
JW: Can you take this bug?

I think you could do this by adding code to ForgetAboutSite.jsm to get the mozIGeckoMediaPluginService, and call a function on it (which you'll have to add and implement) that clears all storage and nodeIds for a given origin.
Flags: needinfo?(jwwang)
Blocks: 1112895
sure.
Assignee: nobody → jwwang
Flags: needinfo?(jwwang)
So all I need to do is delete these folders:
1. $profileDir/gmp/id/$hash/ where $hash is generated by the origin pair
2. $profileDir/gmp/storage/$nodeId/ where $nodeId is the salt generated for the origin pair

right?
Yes. You'll need to enumerate over $profileDir/gmp/id/* to check whether $profileDir/gmp/id/*/origin or $profileDir/gmp/id/*/topLevelOrigin match the origin being forgotten.
Patch part 1: delete the direcotry for the origin pair when "forget this site" is invoked.

More to come in next patch.
Attachment #8539040 - Flags: review?(cpearce)
Comment on attachment 8539040 [details] [diff] [review]
1111787_part1_forget_this_site-v1.patch

Review of attachment 8539040 [details] [diff] [review]:
-----------------------------------------------------------------

::: dom/media/gmp/GMPService.cpp
@@ +933,5 @@
>  static nsresult
>  ReadFromFile(nsIFile* aPath,
>               const nsCString& aFileName,
>               nsCString& aOutData,
> +             int32_t aMaxLength = INT_MAX)

I don't think you should allow reading up to INT_MAX characters at once. If there happens to be a bad file being read, we could run out of memory.

i.e. don't specify "= INT_MAX" default value here.

@@ +1145,5 @@
> +MatchOrigin(nsIFile* aPath, const nsACString& aMatch)
> +{
> +  nsresult rv;
> +  nsCString str;
> +  rv = ReadFromFile(aPath, NS_LITERAL_CSTRING("origin"), str);

The max length for a valid textual representation of a domain name is 253 characters:

http://en.wikipedia.org/wiki/Domain_Name_System#Domain_name_syntax

I suggest you pass 253 here instead of implicitly passing INT_MAX.

@@ +1187,5 @@
> +
> +    // $profileDir/gmp/id/$hash
> +    nsCOMPtr<nsIFile> dirEntry(do_QueryInterface(supports, &rv));
> +    ERR_CONT(rv);
> +

You probably should `continue` here if !dirEntry->IsDirectory().

::: dom/media/gmp/mozIGeckoMediaPluginService.idl
@@ +98,5 @@
>  
>    /**
> +   * Clears storage data associated with the origin.
> +   */
> +  void forgetThisSite(in AString origin);

This changes the vtable on the mozIGeckoMediaPluginService interface. You need to run `./mach update-uuids mozIGeckoMediaPluginService` to ensure that the IID of the interface changes, else extensions and/or other code that was compiled under the old interface layout/ABI won't be foreced to recompile and will break in non-obvious ways.
Attachment #8539040 - Flags: review?(cpearce) → review+
Thanks for the review. Address comments in comment 9.
Attachment #8539040 - Attachment is obsolete: true
Attachment #8539966 - Flags: review+
Part 2 - add ability to check whether GMPParent is accessing storage of a particular node ID.

This feature is needed by patch part 3 which needs to delete some of GMPParents which are accessing storage data for a particular node IDs.
Attachment #8540500 - Flags: review?(cpearce)
Part 3 - Clear plugis and storage data associated with the node IDs.
Attachment #8540501 - Flags: review?(cpearce)
Comment on attachment 8540500 [details] [diff] [review]
1111787_part2_add_IsAccessingStorageForNodeId_to_GMPParent-v1.patch

Review of attachment 8540500 [details] [diff] [review]:
-----------------------------------------------------------------

I don't think we should only kill plugins that happen to have a record open at the time that we are running the "forget about this site" algorithm. The GMPs are probably unlikely to keep their records open; I'd expect them to open, read or write, then close. So we'd be likely to miss detecting GMPs that have accessed storage this way.

The reason why the code that you're changing here recorded whether a GMP had ever accessed storage was because I was worried that a GMP could write data to disk after we've cleared its storage that is dependent on state the GMP holds in memory, so the GMP's storage on disk count end up in an inconsistent, as far as it sees it anyway.

Also, if you clear the nodeId mapping (which you do in patch 1), but don't clear the stored records (which you do in patch 3), the stored records aren't accessible if a GMP for the same origins are re-created, as they'll have a different nodeId/salt. So it doesn't make sense to clear the nodeId/salt but not clear the records themselves, as the records themselves will then effectively "leak".

So, I think we should be more aggressive.

We should just kill all GMPs that match the nodeId, regardless of whether or not they have accessed storage or have records open. We should be able to rely on the existing shutdown code to ensure that no I/O can succeed while we're shutting down a GMP.

That means we can remove the HasAccessedStorage() logic.

So, please do the following:
* Remove the HasAccessedStorage() logic.
* Shutdown all plugins have nodeIds for the origin being cleared.
Attachment #8540500 - Flags: review?(cpearce) → review-
Comment on attachment 8540501 [details] [diff] [review]
1111787_part3_clear_plugins_storage-v1.patch

Review of attachment 8540501 [details] [diff] [review]:
-----------------------------------------------------------------

Just kill all plugins that match the nodeIds.

::: dom/media/gmp/GMPService.cpp
@@ +1276,5 @@
>    }
>  
> +  // Kill all plugins associated with the node IDs.
> +  KillPluginsForStorage(nodeIDsToClear);
> +

We also need to remove the NodeId from the mPersistentStorageAllowed hash table.
Attachment #8540501 - Flags: review?(cpearce) → review-
(In reply to Chris Pearce (:cpearce) (PTO until 5 Jan) from comment #13)
> I don't think we should only kill plugins that happen to have a record open
> at the time that we are running the "forget about this site" algorithm. The
> GMPs are probably unlikely to keep their records open; I'd expect them to
> open, read or write, then close. So we'd be likely to miss detecting GMPs
> that have accessed storage this way.

We want to delete GMPs that are accessing storage data to prevent inconsistency. We don't want GMPStorageParents stay alive while their underlying data is wiped out. ($profileDir/gmp/storage/$nodeId/ is deleted in patch 3) If a GMP opens, reads/writes and then closes before "Forget this site", we don't have the problem of inconsistency. All the storage data in $profileDir/gmp/storage/$nodeId/ is still cleared. I think that should be fine.

However, come to think about it again, I find GMPParent::mNodeId is still kept in the memory after "Forget this site". If we create a GMPStorageParent with that node ID later, we will create inconsistency since the node ID shouldn't be used anymore.

So, yes, you are right. We should delete GMPs that match the nodeId no matter they accessed the storage or not since mNodeId shouldn't be used anymore.
Btw, in GeckoMediaPluginService::ClearStorage(), we should delete all GMPParents which return false for CanBeSharedCrossNodeIds(), right? A GMPParent without node ID will not access storage data. It is fine not kill it.
1. Remove the HasAccessedStorage() logic.
2. Kill any plugin that has a valid nodeId when ClearStorage() is invoked.
Attachment #8540500 - Attachment is obsolete: true
Attachment #8540501 - Attachment is obsolete: true
Attachment #8542003 - Flags: review?(cpearce)
Attachment #8542003 - Flags: review?(cpearce) → review+
Clear plugis and storage data associated with the node IDs.
Attachment #8542385 - Flags: review?(cpearce)
Comment on attachment 8542385 [details] [diff] [review]
1111787_part3_clear_plugins_storage-v2.patch

Review of attachment 8542385 [details] [diff] [review]:
-----------------------------------------------------------------

::: dom/media/gmp/GMPService.cpp
@@ +1163,5 @@
> +template<typename T> static void
> +KillPlugins(const nsTArray<nsRefPtr<GMPParent>>& aPlugins,
> +            Mutex& aMutex, T&& aFilter)
> +{
> +  // Shutdown all plugins that have matching node IDs as those IDs will become

The comment mentions matching nodeIds, but reality is that this function kills plugins that pass the filter function; the comment is inaccurate.
Attachment #8542385 - Flags: review?(cpearce) → review+
Adress nits.
Attachment #8542385 - Attachment is obsolete: true
Attachment #8542448 - Flags: review+
jw: is this ready to land?
Flags: needinfo?(jwwang)
Yes. I will open another bug for the test case.

Try: https://treeherder.mozilla.org/#/jobs?repo=try&revision=033cc285fcb0
Flags: needinfo?(jwwang)
Keywords: checkin-needed
Hi Jw, this patch failed to apply (tried to land part1) and got:

Which patches do you want to import? [Default is '1', use '1-3' for all] 1
adding 1111787 to series file
renamed 1111787 -> 1111787_part1_forget_this_site-v2.patch
applying 1111787_part1_forget_this_site-v2.patch
patching file toolkit/forgetaboutsite/ForgetAboutSite.jsm
Hunk #1 FAILED at 75
1 out of 1 hunks FAILED -- saving rejects to file toolkit/forgetaboutsite/ForgetAboutSite.jsm.rej

could you take a look, thanks!
Flags: needinfo?(jwwang)
Keywords: checkin-needed
rebase part1. Please try again. Thanks.
Attachment #8539966 - Attachment is obsolete: true
Flags: needinfo?(jwwang)
Attachment #8544329 - Flags: review+
Keywords: checkin-needed
Blocks: 1118574
Depends on: 1120051
Blocks: 1085653
Mass update firefox-status to track EME uplift.
status-firefox37: --- → fixed
status-firefox38: --- → fixed
status-firefox39: --- → fixed
Blocks: 1139633
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: