Closed
Bug 1183968
Opened 9 years ago
Closed 9 years ago
Make sessionStorage obey the third-party cookies pref
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: nika, Assigned: nika)
References
(Blocks 1 open bug)
Details
(Keywords: dev-doc-complete)
Attachments
(1 file, 2 obsolete files)
7.15 KB,
patch
|
ehsan.akhgari
:
review+
|
Details | Diff | Splinter Review |
Currently sessionStorage doesn't check DOMStorage::CanUseStorage when being accessed on the window object. Instead, CanUseStorage is checked whenever a method on the sessionStorage object (such as getItem) is called.
Assignee | ||
Comment 1•9 years ago
|
||
This patch changes the behavior to be consistent with localStorage, in that it checks DOMStorage::Can
UseStorage when the sessionStorage property on window is being accessed.
I also copy over some tests from localStorage for these cookie preferences which are checked in CanUs
eStorage.
Attachment #8633880 -
Flags: feedback?(ehsan)
Assignee | ||
Updated•9 years ago
|
Assignee: nobody → michael
Assignee | ||
Updated•9 years ago
|
Comment 2•9 years ago
|
||
Comment on attachment 8633880 [details] [diff] [review]
Make sessionStorage obey the third-party cookies pref
Review of attachment 8633880 [details] [diff] [review]:
-----------------------------------------------------------------
This looks fine to me, but I think Honza should look at this.
::: dom/tests/mochitest/sessionstorage/interOriginFrame.js
@@ +49,5 @@
> +
> +function finishTest()
> +{
> + try {
> + localStorage.clear();
This isn't needed. Some of the other things in this file aren't used either AFAICT.
Attachment #8633880 -
Flags: feedback?(ehsan) → feedback?(honzab.moz)
Comment 3•9 years ago
|
||
Comment on attachment 8633880 [details] [diff] [review]
Make sessionStorage obey the third-party cookies pref
Review of attachment 8633880 [details] [diff] [review]:
-----------------------------------------------------------------
Witch this change please also update https://developer.mozilla.org/en-US/docs/Mozilla/Gecko/DOM_Storage_implementation_notes#Access_security_checks
::: dom/base/nsGlobalWindow.cpp
@@ +10401,5 @@
> }
> }
>
> if (!mSessionStorage) {
> + if (!DOMStorage::CanUseStorage(this)) {
what is the 'this' here? This accepts a storage object. It's passed in only to update the mSessionOnly flag on the storage. It has no meaning on sessionStorage since that is session-only from its nature. Just pass null or omit and you are OK to go here. GetLocalStorage also passes null (a default value).
Attachment #8633880 -
Flags: feedback?(honzab.moz) → feedback+
Assignee | ||
Comment 4•9 years ago
|
||
Updated version of the patch which instead uses the StorageAllowedForWindow logic being implemented in bug 1184973. The new DOMStorage::CanUseStorage logic is being implemented in bug 536509.
Attachment #8635317 -
Flags: review?(ehsan)
Assignee | ||
Updated•9 years ago
|
Attachment #8633880 -
Attachment is obsolete: true
Updated•9 years ago
|
Keywords: dev-doc-needed
Comment 5•9 years ago
|
||
Comment on attachment 8635317 [details] [diff] [review]
Update sessionStorage to use common StorageAllowedForWindow logic
Review of attachment 8635317 [details] [diff] [review]:
-----------------------------------------------------------------
Mostly looks good, except for the below.
::: dom/base/nsGlobalWindow.cpp
@@ +10401,5 @@
> }
> }
>
> if (!mSessionStorage) {
> + if (!DOMStorage::CanUseStorage(this)) {
Why this function? Shouldn't we use the one you're adding to nsContentUtils?
@@ +10416,5 @@
> // don't allow access to sessionStorage.
> if (!mDoc) {
> aError.Throw(NS_ERROR_FAILURE);
> return nullptr;
> }
This can go away from here. You should do this check in the other bug.
Attachment #8635317 -
Flags: review?(ehsan) → review-
Assignee | ||
Comment 6•9 years ago
|
||
(In reply to Ehsan Akhgari (not reviewing patches, not reading bugmail, needinfo? me!) from comment #5)
> Why this function? Shouldn't we use the one you're adding to nsContentUtils?
DOMStorage::CanUseStorage dispatches to nsContentUtils::StorageAllowedForWindow as of bug 536509. It just also performs some extra additional logic which I wasn't sure I wanted to move into StorageAllowedForWindow.
> This can go away from here. You should do this check in the other bug.
It'll be gone in the next patch I put up.
Assignee | ||
Comment 7•9 years ago
|
||
Updated version of patch. Part 3 of new storage logic. Full tree here: https://github.com/mystor/mozilla-central/tree/storage_pref
try: https://treeherder.mozilla.org/#/jobs?repo=try&revision=d48360c5cc3e
Attachment #8635317 -
Attachment is obsolete: true
Attachment #8641986 -
Flags: review?(ehsan)
Updated•9 years ago
|
Attachment #8641986 -
Flags: review?(ehsan) → review+
Assignee | ||
Comment 8•9 years ago
|
||
After a discussion on dev-platform, we decided that we don't want to prevent sessionstorage in third party iframes, as it is already double-keyed and not persisted. Thus this patch is unnecessary.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → WONTFIX
Updated•9 years ago
|
Keywords: dev-doc-needed → dev-doc-complete
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•