1233903 - fix up the shumway use of createCodebasePrincipal to be aware of user context origin attributes

Status: RESOLVED INCOMPLETE

(Firefox Graveyard :: Shumway, defect)

Description

[Dave Huseby [:huseby]]

In shumway's special storage it will need to make sure that it does proper user context isolation by setting the correct user context id in the origin attributes used when calling createCodebasePrincipal.

> browser/extensions/shumway/chrome/SpecialStorage.jsm
>   line 27
>     var principal = ssm.createCodebasePrincipal(uri, {});

Comment 1

[Dave Huseby [:huseby]]

IMHO, this is not a blocker fixup for v1 of containers, but it should be considered a blocker for shipping shumway.  Without proper user context isolation, any storage done on behalf of a flash movie won't be properly isolated and shumway could be used as a cross-domain/cross-tab communication channel.

Comment 2

[Dave Huseby [:huseby]]

Chris, are you the PM on shumway?  This bug is a blocker for shipping shumway and I want to make sure the shumway team is tracking it.

Comment 3

[Chris Peterson [:cpeterson]]

Thanks. I've updated the Shumway bug dependencies. Shumway will need createCodebasePrincipal bug 1218479, but the Shumway work should not block you.

Comment 4

[Dave Huseby [:huseby]]

After fixing up a bunch of other similar cases, I think the right thing to do here is to query the document/docshell for the origin attributes and using that.  Shumway should be isolating based on user context id.

Comment 5

[Tanvi Vyas[:tanvi]]

Why is this resolved incomplete?

Comment 6

[Emma Humphries ☕️🎸🧞‍♀️✨ (she/they) [:emceeaich] (Pacific Time) use needinfo]

Please go to the project page on GitHub https://github.com/mozilla/shumway/ to report issues.

Comment 7

[Dave Huseby [:huseby]]

The github issue is here: https://github.com/mozilla/shumway/issues/2418