1321158 - Investigate if window.open() inheriting firstPartyDomain resolves breakage

Status: NEW

(Core :: DOM: Security, defect, P5)

Comment 1

[Yoshi Cheng-Hao Huang [:allstars.chh][:allstarschh][:yoshi]]

See smaug's comment in https://bugzilla.mozilla.org/show_bug.cgi?id=1315602#c15.

Comment 2

[Olli Pettay [:smaug][bugs@pettay.fi]]

The reason for my comment was that it might simplify the setup a bit. It would be guaranteed that top level content docshell has empty fpd always. Easier to assert random things and such.

Comment 3

[Tom Ritter [:tjr]]

P1 to investigate and then re-triage.

Comment 4

[Tom Ritter [:tjr]]

We don't want window.open to inherit the first party domain. That's be confusing to users (Why is this gmail tab not logged in? How come when I login to it, but then type gmail.com in a new tab I'm still not logged in?) and would allow the window.open-ed domain and the opening domain to share state as well as communicate. (Communication is only possible if restrict_opener_access is off though.)

It would be interesting to know; however, if relaxing this would solve some of the breakage situations. If it did, I still don't think we should relax it, but at least we would understand better why things break and how to recommend changes.