Open Bug 1337868 Opened 5 years ago Updated 8 months ago

Add Origin Attribute connection isolation tests for HTTP2, TLS, and WebSockets

Categories

(Core :: DOM: Security, task, P3)

Product:
Core
Component:
DOM: Security
Version:
52 Branch
Type:
task

Tracking

()

People

(Reporter: tjr, Unassigned)

References

(Blocks 2 open bugs)

Details

(Whiteboard: [OA-testing][tor-testing][domsecurity-backlog1]) 

Bug 1283319 added tests for Connection Isolation in HTTP/1.1, but we should hedge our bets and make some tests for other connection types.
Summary: Add container connection isolation tests for HTTP2, TLS, and WebSockets → Add Origin Attribute connection isolation tests for HTTP2, TLS, and WebSockets
Whiteboard: [OA] → [OA-testing][tor]
Whiteboard: [OA-testing][tor] → [OA-testing][tor-testing]
Priority: -- → P3
Whiteboard: [OA-testing][tor-testing] → [OA-testing][tor-testing][domsecurity-backlog1]
This might be done for HTTP2 in Bug 1334693. And Alt-Srv in Bug 1334690.  But maybe it hasn't.
Priority: P3 → P1
Hi arthur, I see this was promoted from P3 to P1 5 months ago, reasoning?
Flags: needinfo?(arthuredelstein)
Severity: normal → major
Priority: P1 → P2
Hi Marion -- thanks for checking. We're planning to enable HTTP/2 for the next version of Tor Browser and unit tests for FPI (or generally OriginAttribute isolation) would provide stronger assurance.
Flags: needinfo?(arthuredelstein)
Great, thank you for the answer! That makes total sense. I hope you don't mind I moved it to P2. It's still high priority.
Type: defect → task
Priority: P2 → P3

Have we made progress on this in light of bug 1673921?

Flags: needinfo?(tihuang)

No, we haven't added tests for H2, and WebSocket.

For TLS, we do have a test here. It tests the TLS resumed state and the connection hash key. But, I think we still need the test for the partitioning of TLS client certificates. Bug 1664998 was opened for it.

Flags: needinfo?(tihuang)
QA Whiteboard: qa-not-actionable
You need to log in before you can comment on or make changes to this bug.