Closed Bug 1313627 Opened 9 years ago Closed 9 years ago

[FirstPartyIsolation] Failed to sign in to the Baidu

Categories

(Core :: DOM: Security, defect, P1)

Product:
Core
Component:
DOM: Security
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla52
Tracking Flags:
Tracking Status
firefox52 --- verified

People

(Reporter: cynthiatang, Assigned: timhuang)

References

(Blocks 1 open bug)

Details

(Whiteboard: [tor][domsecurity-active])

Attachments

(1 file, 2 obsolete files)

Get the firstPartyDomain from the nodePrincipal of the document in nsDocShell::CanAccessItem() if the first party isolation is on.
5.86 KB, patch
timhuang
: review+
Details | Diff | Splinter Review
Preference setting: 1. privacy.firstparty.isolate;true 2. network.predictor.enable-prefetch;false 3. network.predictor.enabled;false Step: 1. Launch Firefox browser 2. Go to baidu.com 3. Click on "登录" (Sign in) 4. Sign in using an existing Baidu ID and password Actual result: - User cannot login to Baidu. It show - Firefox with firstPartyIsolation: https://youtu.be/pxVyy-E-MPY - Tor browser: https://youtu.be/2iyl1vvfJpw Expected result: - User can login to Baidu Firefox version: 52.0a1 (2016-10-27) (64-bit)
Removing [domsecurity-active] because there's no priority set nor an assignee; I don't think this actually went through triage before getting that tag.
Whiteboard: [tor][domsecurity-active] → [tor]
Priority: -- → P1
Hi Tim, could you comment what you discovered for this bug?
Flags: needinfo?(tihuang)
What I discovered is that the Baidu will use the window.parent during its login process. But for the current design of the first party isolation in Firefox, the window.parent points to the top-level docShell, which doesn't have the first party domain in its originAttributes. In this situation, the access will be blocked since originAttributes are different. So the login will fail. However, I am not so sure about this. And I will look into it
Assignee: nobody → tihuang
Flags: needinfo?(tihuang)
It looks like that I was wrong. I have written a test page which uses the window.parent, and it works correctly. So the window.parent is not the root cause of this login problem. I will dig into it more.
Whiteboard: [tor] → [tor][domsecurity-active]
The root cause of this login problem is because the top-level docShell doesn't have the firstPartyDomain in its originAttributes. Baidu will use a form with its attribute 'target' points to an iframe. When this form been submitted, the top-level docShell will try to access the iframe's window. At this moment, originAttributes will be checked in the nsDocShell::CanAccessItem() [1]. And it will return a false since the top-level docShell doesn't have firstPartyDomain but the iframe's docShell has. For resolving this problem, I proposed that we could fetch the firstPartyDomain from the nodePrincipal of the document of the top-level docShell during the comparison of originAttriubtes. And this action will only happen if the Pref "privacy.firstParty.isolate" is turned on. [1] http://searchfox.org/mozilla-central/source/docshell/base/nsDocShell.cpp#3574
This patch does what I said in comment 5. Smaug, could you take a look?
Attachment #8808931 - Flags: feedback?(bugs)
Comment on attachment 8808931 [details] [diff] [review] Get the firstPartyDomain from the nodePrincipal of the document in nsDocShell::CanAccessItem() if the first party isolation is on. >+ // When the first party isolation is on, the top-level docShell won't have >+ // the firstPartyDomain in its originAttributes, but its document will have >+ // it. So we get the firstPartyDomain from the nodePrincipal of the document >+ // before we comapre the originAttributes. >+ if (Preferences::GetBool("privacy.firstparty.isolate", false)) { could you make OriginAttributes::IsFirstPartyEnabled() static and use it here. >+ if (accessingOA.mFirstPartyDomain.IsEmpty() && >+ aAccessingItem->ItemType() == nsIDocShellTreeItem::typeContent && >+ !accessingDS->GetIsMozBrowserOrApp()) { So when a window.open() is done, top level docshell does have mFirstPartyDomain set, yet it might not be the same one as what document has. So, IsEmpty() check probably isn't the one you want to use here (I think that setup will lead to more errors, but don't know yet how to solve the issue)
Attachment #8808931 - Flags: feedback?(bugs) → feedback-
Attachment #8808931 - Attachment is obsolete: true
Thanks, Smaug. I have made some changes according to your review comments.
Comment on attachment 8808984 [details] [diff] [review] Get the firstPartyDomain from the nodePrincipal of the document in nsDocShell::CanAccessItem() if the first party isolation is on. >- if (static_cast<nsDocShell*>(targetDS.get())->GetOriginAttributes() != >- static_cast<nsDocShell*>(accessingDS.get())->GetOriginAttributes()) { >+ nsCOMPtr<nsIDocShellTreeItem> accessingRoot; >+ aAccessingItem->GetSameTypeRootTreeItem(getter_AddRefs(accessingRoot)); >+ nsCOMPtr<nsIDocShell> accessingRootDS = do_QueryInterface(accessingRoot); >+ >+ nsCOMPtr<nsIDocShellTreeItem> targetRoot; >+ aTargetItem->GetSameTypeRootTreeItem(getter_AddRefs(targetRoot)); >+ nsCOMPtr<nsIDocShell> targetRootDS = do_QueryInterface(targetRoot); >+ >+ DocShellOriginAttributes targetOA = >+ static_cast<nsDocShell*>(targetDS.get())->GetOriginAttributes(); >+ DocShellOriginAttributes accessingOA = >+ static_cast<nsDocShell*>(accessingDS.get())->GetOriginAttributes(); >+ >+ // When the first party isolation is on, the top-level docShell won't have s/won't/may not/ >+ // the firstPartyDomain in its originAttributes, but its document will have >+ // it. So we get the firstPartyDomain from the nodePrincipal of the document >+ // before we comapre the originAttributes. compare
Attachment #8808984 - Flags: review?(bugs) → review+
Attachment #8808984 - Attachment is obsolete: true
Try looks good.
Keywords: checkin-needed
Pushed by hchang@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/fe91fde5ba7a Get the firstPartyDomain from the nodePrincipal of the document in nsDocShell::CanAccessItem() if the first party isolation is on. r=smaug
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/fe91fde5ba7a
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox52: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla52
Flags: needinfo?(amarchesini)
Verified result: Passed User can sign in to http://www.baidu.com/ https://www.hao123.com/ http://news.sogou.com/ http://people.com.cn/ https://www.so.com/ http://www.momoshop.com.tw Firefox version: 52.0a1 (2016-11-13) (64-bit) ================================== But user still cannot sign in to https://www.pixnet.net/ http://www.360.com/ I will file another bug for it. Thanks.
Status: RESOLVED → VERIFIED
status-firefox52: fixedverified
Flags: needinfo?(amarchesini)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: