Closed Bug 1344170 Opened 3 years ago Closed 3 years ago

set firstPartyDomain for blob: URI

Categories

(Core :: DOM: Security, enhancement, P2)

enhancement

Tracking

()

RESOLVED FIXED
mozilla55
Tracking Status
firefox55 --- fixed

People

(Reporter: allstars.chh, Assigned: allstars.chh)

References

(Blocks 1 open bug)

Details

(Whiteboard: [tor][domsecurity-active])

Attachments

(1 file, 3 obsolete files)

see smaug's comment in https://bugzilla.mozilla.org/show_bug.cgi?id=1300671#c5

for example we could create an URL by:

let url = URL.createObjectURL(new Blob([`<script src="https://apis.google.com/js/api.js"></script>`],{'type': 'text/html'}));

window.open(url, "_blank");

Then the top-level URI will be something like "blob:https://www.google.com.tw/{uuid}"
And it will fetch the script through network,
we need to check if this is a potiential tracking mechanism
Priority: -- → P2
Whiteboard: [tor][domsecurity-active]
Attached patch Patch. (obsolete) — Splinter Review
Attached patch Patch. (obsolete) — Splinter Review
Attachment #8858768 - Attachment is obsolete: true
Attached patch Patch. (obsolete) — Splinter Review
Attachment #8859135 - Attachment is obsolete: true
Attached patch Patch.Splinter Review
Attachment #8859436 - Attachment is obsolete: true
Attachment #8860250 - Flags: review?(bugs)
Comment on attachment 8860250 [details] [diff] [review]
Patch.

>+  // We verify the blob document has correct origin attributes.
>+  // Then we inject an iframe to it.
>+  yield ContentTask.spawn(browser, { firstPartyDomain: BASE_DOMAIN }, function* (attrs) {
>+    Assert.ok(content.document.documentURI.startsWith("blob:http://mochi.test:8888/"),
>+              "the document URI should be a blob URI.");
>+    info("origin " + content.document.nodePrincipal.origin);
>+    Assert.equal(content.document.nodePrincipal.originAttributes.firstPartyDomain,
>+                 attrs.firstPartyDomain, "The document should have firstPartyDomain");
>+
>+    let iframe = content.document.createElement("iframe");
>+    iframe.src = "http://example.com";
>+    iframe.id = "iframe1";
>+    content.document.body.appendChild(iframe);
>+  });
>+
>+  // Wait for the iframe to be loaded.
>+  yield BrowserTestUtils.browserLoaded(browser, true, function(url) {
>+    info("BrowserTestUtils.browserLoaded iframe url=" + url);
>+    return url == "http://example.com/";
>+  });
Why this isn't racy? Why the iframe can't have loaded already here?

>+function frame_script() {
>+  let url = content.window.URL.createObjectURL(new content.window.Blob([
>+    `<script src="http://mochi.test:8888/browser/browser/components/originattributes/test/browser/test.js"></script>`],
>+    {"type": "text/html"}));
>+
>+  content.document.location = url;
>+}
>+
>+add_task(function* test_blob_uri_inherit_oa_from_data() {
What is data url here?

>+  let win = yield BrowserTestUtils.openNewBrowserWindow({ remote: true });
>+  let browser = win.gBrowser.selectedBrowser;
>+
>+  let mm = browser.messageManager;
>+  mm.loadFrameScript("data:,(" + frame_script.toString() + ")();", true);
>+
>+  yield BrowserTestUtils.browserLoaded(browser, false, function(url) {
>+    info("BrowserTestUtils.browserLoaded data url=" + url);
data url? Didn't we just load blob url



>+  // data: URI will have NullPrincipal, and blob: URI will inherit the origin
>+  // attributes from data: URI.
I don't understand what data: url you're talking about. frame script created a blob uri

Clarify the test a bit.
Attachment #8860250 - Flags: review?(bugs) → review+
(In reply to Olli Pettay [:smaug] from comment #5)
> >+  // Wait for the iframe to be loaded.
> >+  yield BrowserTestUtils.browserLoaded(browser, true, function(url) {
> >+    info("BrowserTestUtils.browserLoaded iframe url=" + url);
> >+    return url == "http://example.com/";
> >+  });
> Why this isn't racy? Why the iframe can't have loaded already here?
>
Thanks, I'll remove it.
 
> I don't understand what data: url you're talking about. frame script created
> a blob uri
> 
> Clarify the test a bit.
I also think the test is confusing, I'll also removet this.
Pushed by yhuang@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/89407b3607a2
set firstPartyDomai on blob: URI. r=smaug
https://hg.mozilla.org/mozilla-central/rev/89407b3607a2
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
You need to log in before you can comment on or make changes to this bug.