Tracking protection: Redirect to blocked resource in iframe is not blocked

RESOLVED WORKSFORME

Status

()

defect
P2
normal
RESOLVED WORKSFORME
4 years ago
3 years ago

People

(Reporter: mwobensmith, Assigned: tnguyen)

Tracking

43 Branch
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sb-backlog] [sb-moderate])

Attachments

(2 attachments, 1 obsolete attachment)

232 bytes, text/html
Details
1.37 KB, application/zip
Details
An iframe whose source is a page that redirects to a blocked URL should be blocked. Currently it is not. 

This affects tracking protection in Fx43 and 44, but not Fx42.
Assignee: francois → nobody
Whiteboard: tpe-seceng
Priority: -- → P2
Whiteboard: tpe-seceng → [sb-backlog] [sb-moderate]
Assignee

Comment 1

3 years ago
Hi Matt,
Could you please test this in current version?
FWIU, loading a page that redirects to a malware/phishing URL in iframe should be blocked.
And tracking protection should have the same behavior.
Thanks
Assignee

Updated

3 years ago
Flags: needinfo?(mwobensmith)
Assignee

Updated

3 years ago
Assignee: nobody → tnguyen
Assignee

Comment 2

3 years ago
Posted file Test (obsolete) —
Assignee

Comment 3

3 years ago
Posted file Test
Attachment #8790194 - Attachment is obsolete: true
Comment hidden (typo)
Assignee

Comment 5

3 years ago
I followed the below steps 

1. Run Apache on your machine at 127.0.0.1
2. Use the following Apache config:

# Test tracking protection
<VirtualHost localhost:80>
    ServerName testtrackingprotection.appspot.com
    DocumentRoot /var/www/html
    Redirect "/s/tracking.html" "https://www.google-analytics.com/"
</VirtualHost>


3. Redirect the testsafebrowsing.appspot.com test page to your machine by
   putting the following in /etc/hosts:

127.0.0.1       testtrackingprotection.appspot.com

4. Visit the test link I attached in a browser (note that you may need to disable insecure protection- clicking the lock icon on the top left)
5. Enable/disable tracking protection and notice that the page in iframe frame is blocked.

This works for me, please reopen it if you find the test does not work on your machine.
Thanks
Posted file 1217210.zip
Hi Thomas, sorry for the delay, I have been traveling.

This is still a problem for me. See attached test.
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---
Assignee

Comment 7

3 years ago
Thanks Matt for your help.
Just enable tracking protection and privacy.trackingprotection.enabled to true in about:config and it works
. Could you please try again and please tell me your steps?
Assignee

Comment 8

3 years ago
Oh, sorry that I did disturb your traveling :), enjoy your time and check this after you come back.
This issue seems related to Bug 1293476 and supposed to be fixed in the upcoming release (49).
Hi Thomas, no worries. I think you are right, it works now. I should have given more complete steps when I filed the bug, because I'm reasonably sure this was broken at that time. However, it works fine now. Thank you for your help.
Status: REOPENED → RESOLVED
Closed: 3 years ago3 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.