1319346 - WebChannel not isolated by originAttributes

Status: REOPENED

(Core :: DOM: Security, defect, P3)

Description

[Hector Zhao [:hectorz]]

Try using WebChannel from within a container tab will throw an error:

> {webChannelId} error message. No Such Channel

This is because when using origin as originOrPermission when creating a WebChannel, `_originCheckCallback` will check `{allowedOrigin}.prePath === requestPrincipal.origin` to find a matching WebChannel[1];

Since a) another check for WebChannel already uses `originNoSuffix`[2] and b) `userContextId` are ignored when matching permissions[3], I think it might be okay to just use `requestPrincipal.originNoSuffix` here?

[1]: https://dxr.mozilla.org/mozilla-central/rev/0534254e9a40/toolkit/modules/WebChannel.jsm#184
[2]: https://hg.mozilla.org/mozilla-central/rev/af0f02e07f6a#l21.53
[3]: https://hg.mozilla.org/mozilla-central/rev/299a09f24493

Comment 1

[Tanvi Vyas[:tanvi]]

Ethan, is this also an issue for Tor?

Comment 2

[Evan Tseng [:evanxd]]

That's not Ethan's email, let's change to right one(ettseng@mozilla.com).

Comment 3

[Hector Zhao [:hectorz]]

Dupe of bug 1319904, which was already fixed.

Comment 4

[Tanvi Vyas[:tanvi]]

I'm not sure this is a duplicate.  Reopening for now and we can decide after further investigation.

Comment 5

[Ethan Tseng [:ethan]]

(In reply to Tanvi Vyas [:tanvi] from comment #1)
> Ethan, is this also an issue for Tor?

I went through comments in bug 1319904.
It looks to me this is a general Origin Attributes issue that has to be fixed in WebChannel.
So yes, I assume it also affects Tor First Party Isolation.

Arthur, can you help to confirm this?

Comment 6

[Arthur Edelstein [:arthur]]

(In reply to Ethan Tseng [:ethan] from comment #5)
> (In reply to Tanvi Vyas [:tanvi] from comment #1)
> > Ethan, is this also an issue for Tor?
> 
> I went through comments in bug 1319904.
> It looks to me this is a general Origin Attributes issue that has to be
> fixed in WebChannel.
> So yes, I assume it also affects Tor First Party Isolation.
> 
> Arthur, can you help to confirm this?

Sorry for the delay -- yes, it looks to me like the issue affects first-party isolation as a part of originAttributes. As far as I can tell, the patch in bug 1319904 should solve the problem for first-party isolation as well.

Comment 7

[Tanvi Vyas[:tanvi]]

Bug 1319904 makes WebChannel NOT isolated by Origin Attributes.

Comment 8

[Ethan Tseng [:ethan]]

Set it as blocking First Party Isolation for tracking.

Comment 9

[Christoph Kerschbaumer [:ckerschb]]

Tanvi, this is was marked as a P1, got closed and reopened? Do we need to set a new priority? Potentially we need to find an owner for this one! Can you have a look please?

Comment 10

[Arthur Edelstein [:arthur]]

(In reply to Tanvi Vyas - behind on bugmail [:tanvi] from comment #7)
> Bug 1319904 makes WebChannel NOT isolated by Origin Attributes.

You're absolutely right. Sorry for my mistake. Indeed this looks like we need to implement a fix for first party isolation.

Comment 11

[Ethan Tseng [:ethan]]

As discussed in the meeting, this bug is low priority but nice to have.

Comment 12

[Christoph Kerschbaumer [:ckerschb]]

(In reply to Ethan Tseng [:ethan] from comment #11)
> As discussed in the meeting, this bug is low priority but nice to have.

Clearing my ni? queue at the moment. Thanks Ethan for de-prioritizing this work in comment 11. Clearing the ni? for Tanvi in that case.

Comment 13

[Firefox Bug Husbandry Bot]

Bulk change per https://bugzilla.mozilla.org/show_bug.cgi?id=1401020