Closed Bug 1301523 Opened 8 years ago Closed 8 years ago

Add a test that checks HTTP auth is isolated by first party domain (Tor 13900)

Categories

(Core :: Networking: HTTP, defect, P1)

Product:
Core
Component:
Networking: HTTP
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla52
Tracking Flags:
Tracking Status
firefox52 --- fixed

People

(Reporter: arthur, Assigned: jhao)

References

(Blocks 3 open bugs)

Details

(Whiteboard: [tor-testing][OA-testing][necko-next])

Attachments

(1 file)

Add a test that checks HTTP auth is isolated by first party domain.
2.77 KB, patch
mayhemer
: review+
arthur
: review+
Details | Diff | Splinter Review 
When privacy.firstparty.isolate is true, we should isolate the HTTP Auth token storage by first party domain.

For Tor Browser, we introduced a patch that prevents 3rd-party HTTP Auth altogether:
https://torpat.ch/13900

But proper isolation based on Origin Attributes would be better.
(In reply to Arthur Edelstein [:arthuredelstein] from comment #0)
> But proper isolation based on Origin Attributes would be better.

I agree.
Whiteboard: [tor] → [tor][OA]
Priority: -- → P1
Whiteboard: [tor][OA] → [tor][OA][tor-standalone]
Whiteboard: [tor][OA][tor-standalone] → [tor][OA]
Whiteboard: [tor][OA] → [tor][OA][necko-next]
This needs testing and a link to the HTTP Auth code.
Flags: needinfo?(kjozwiak)
Flags: needinfo?(amarchesini)
This is WORKSFORME, according https://dxr.mozilla.org/mozilla-central/rev/955840bfd3c20eb24dd5a01be27bdc55c489a285/netwerk/protocol/http/nsHttpAuthCache.cpp#26

We isolate http authentication credentials also by origin attributes suffix, so when first party domain is added to origin attributes, it will automatically work.

If this only needs automated tests, then let's turn this bug accordingly.

Tanvi, is this OK?
Flags: needinfo?(tanvi)
Flags: needinfo?(kjozwiak)
Flags: needinfo?(amarchesini)
Summary: HTTP auth can be used for tracking (Tor 13900) → Add a test that checks HTTP auth is isolated by first party domain (Tor 13900)
Yes, lets convert this to a testing bug.  Thanks Honza!
Flags: needinfo?(tanvi)
Priority: P1 → P2
Whiteboard: [tor][OA][necko-next] → [tor-testing][OA-testing][necko-next]
Assignee: nobody → jhao
Status: NEW → ASSIGNED
Hi Honza, would you review this test, please?

This uses the IsolationTestTool.runTest.  In each subtest, the tool opens two tabs with several kinds of combinations of containers and first party domain, and compare the result gotten from `getResult`.


Arthur, could you take a look, too?
Attachment #8797996 - Flags: review?(honzab.moz)
Attachment #8797996 - Flags: review?(arthuredelstein)
Comment on attachment 8797996 [details] [diff] [review]
Add a test that checks HTTP auth is isolated by first party domain.

Review of attachment 8797996 [details] [diff] [review]:
-----------------------------------------------------------------

LGTM
Attachment #8797996 - Flags: review?(honzab.moz) → review+
Comment on attachment 8797996 [details] [diff] [review]
Add a test that checks HTTP auth is isolated by first party domain.

Review of attachment 8797996 [details] [diff] [review]:
-----------------------------------------------------------------

Looks good to me too. Thanks, Jonathan!
Attachment #8797996 - Flags: review?(arthuredelstein) → review+
Priority: P2 → P1
Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/e7939844b393
Add a test that checks HTTP auth is isolated by first party domain. r=mayhemer, r=arthuredelstein
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/e7939844b393
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
status-firefox52: --- → fixed
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla52
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: