Closed Bug 1264571 Opened 9 years ago Closed 9 years ago

Add a test case of isolating Broadcast Channels for first party. (Tor 16300)

Categories

(Core :: DOM: Security, defect, P1)

Product:
Core
Component:
DOM: Security
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla52
Tracking Flags:
Tracking Status
firefox52 --- fixed

People

(Reporter: timhuang, Assigned: timhuang)

References

(Blocks 2 open bugs)

Details

(Whiteboard: [tor-testing][domsecurity-active][ETA 10/10])

Attachments

(1 file, 2 obsolete files)

Bug 1264571 - Add a test case of isolating broadcast channels for first party isolation.
58 bytes, text/x-review-board-request
baku
: review+
arthur
: review+
Details
Attached patch tor browser patch (WIP) (obsolete) — Splinter Review
We should have a test case for isolation of Broadcast Channels to first party. https://torpat.ch/16300
Whiteboard: [tor], [OA] → [tor], [OA][domsecurity-backlog]
Summary: Isolate Broadcast Channels to first party. (Tor Bug#16300) → Isolate Broadcast Channels to first party. (Tor 16300)
Whiteboard: [tor], [OA][domsecurity-backlog] → [tor][OA-testing][domsecurity-backlog]
Blocks: meta_tor, ContextualIdentity
No longer blocks: containers_testing
Whiteboard: [tor][OA-testing][domsecurity-backlog] → [tor][OA][domsecurity-backlog]
Please note the WIP attachment is out of date, and the current Tor Browser patch is at https://torpat.ch/16300
Is this a testing bug or implementation bug?
Priority: -- → P1
Broadcast channel is already separated by origin attributes. Here's the test: http://searchfox.org/mozilla-central/source/browser/components/contextualidentity/test/browser/browser_broadcastchannel.js This bug should be resolved as soon as first-party URI is in the origin attributes, but we can extend the test for first-party isolation.
Depends on: 1260931
Whiteboard: [tor][OA][domsecurity-backlog] → [tor][domsecurity-backlog]
Priority: P1 → P3
Whiteboard: [tor][domsecurity-backlog] → [tor][domsecurity-backlog1]
Assignee: nobody → tihuang
Status: NEW → ASSIGNED
Priority: P3 → P1
Whiteboard: [tor][domsecurity-backlog1] → [tor][domsecurity-active]
Summary: Isolate Broadcast Channels to first party. (Tor 16300) → Add a test case of isolating Broadcast Channels for first party. (Tor 16300)
Whiteboard: [tor][domsecurity-active] → [tor-testing][domsecurity-active]
Whiteboard: [tor-testing][domsecurity-active] → [tor-testing][domsecurity-active][ETA 10/10]
Priority: P1 → P2
No longer blocks: meta_tor
Attachment #8797397 - Flags: review?(arthuredelstein)
Attachment #8797397 - Flags: review?(amarchesini)
Comment on attachment 8797397 [details] [diff] [review] Add a test case of isolating broadcast channels for first party isolation. Review of attachment 8797397 [details] [diff] [review]: ----------------------------------------------------------------- ::: browser/components/originattributes/test/browser/browser_broadcastChannel.js @@ +21,5 @@ > + return data; > + } > + > + return displayItem.innerHTML; > + }); This doesn't work because we are isolating, but because broadcastChannel is async. You should give time to retrieve the data. And this is racy, right?
Attachment #8797397 - Flags: review?(amarchesini)
Just make clear that I understand this correctly, are you saying that this is working is not because the broadcast channel is isolated, but because the broadcast channel is async.
Correct.
Comment on attachment 8797397 [details] [diff] [review] Add a test case of isolating broadcast channels for first party isolation. Review of attachment 8797397 [details] [diff] [review]: ----------------------------------------------------------------- ::: browser/components/originattributes/test/browser/browser_broadcastChannel.js @@ +4,5 @@ > + > +const TEST_DOMAIN = "http://example.net/"; > +const TEST_PATH = TEST_DOMAIN + "browser/browser/components/originattributes/test/browser/"; > +const TEST_PAGE = TEST_PATH + "file_broadcastChannel.html"; > + // Maybe here you could define something like. let waitForBroadcastMessage = function (broadcastChannel) { return new Promise(resolve => { broadCastChannel.onmessage = e => resolve(e); }); }; @@ +16,5 @@ > + // which was received from the broadcast channel. > + if (displayItem.innerHTML.length === 0) { > + let data = Math.random().toString(); > + let bc = new content.BroadcastChannel("testBroadcastChannel"); > + bc.postMessage(data); // Then here you could do let messagePromise = waitForBroadcastMessage(bc); bc.postMessage(data); yield messagePromise; // Probably this ensures that the message has been properly broadcast before // you return from doTest?
Attachment #8797397 - Flags: review?(arthuredelstein)
Attachment #8797397 - Attachment is obsolete: true
Comment on attachment 8798012 [details] Bug 1264571 - Add a test case of isolating broadcast channels for first party isolation. https://reviewboard.mozilla.org/r/83616/#review82250 Looks good to me. Thanks, Tim!
Attachment #8798012 - Flags: review?(arthuredelstein) → review+
Priority: P2 → P1
Comment on attachment 8798012 [details] Bug 1264571 - Add a test case of isolating broadcast channels for first party isolation. https://reviewboard.mozilla.org/r/83616/#review87578 ::: browser/components/originattributes/test/browser/browser_broadcastChannel.js:21 (Diff revision 1) > + // The way that how we make sure the message is delivered is based on an > + // iframe which will reply everything it receives from the broadcast channel > + // to the current window through the postMessage. So, we can know that the > + // boradcast message is sent successfully when the window receives a message > + // from the iframe. > + if (displayItem.innerHTML.length === 0) { displayItem.innerHTML == "" ::: browser/components/originattributes/test/browser/browser_broadcastChannel.js:26 (Diff revision 1) > + if (displayItem.innerHTML.length === 0) { > + let data = Math.random().toString(); > + > + let receivedData = yield new Promise(resolve => { > + let listenFunc = event => { > + content.removeEventListener("message", listenFunc, false); remove "false". It's optional.
Attachment #8798012 - Flags: review?(amarchesini) → review+
Attachment #8741280 - Attachment is obsolete: true
Try looks good.
Keywords: checkin-needed
Pushed by ryanvm@gmail.com: https://hg.mozilla.org/integration/autoland/rev/48aec91f819f Add a test case of isolating broadcast channels for first party isolation. r=arthuredelstein,baku
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/48aec91f819f
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
status-firefox52: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla52

Công ty phế liệu giá cao Việt Đức đã xem và thấy rất tốt! <a href=" https://phelieuvietduc.com/" rel="nofolow"> https://phelieuvietduc.com/ </a>

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: