Closed Bug 1354248 Opened 7 years ago Closed 2 years ago

Allow privileged about content process use page-icon protocol

Categories

(Toolkit :: Places, enhancement, P5)

Product:
Toolkit
Component:
Places
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
103 Branch
Tracking Flags:
Tracking Status
firefox103 --- fixed

People

(Reporter: ursula, Assigned: mconley)

References

(Blocks 2 open bugs)

Details

(Whiteboard: [fxsearch])

Attachments

(4 files, 1 obsolete file)

Bug 1354248 - Part 1: Split PageThumbStreamGetter into a common utility class. r?#necko-reviewers!
48 bytes, text/x-phabricator-request
Details | Review
Bug 1354248 - Part 2: Abstract out the IPC message that RemoteStreamGetter uses. r?#necko-reviewers!
48 bytes, text/x-phabricator-request
Details | Review
Bug 1354248 - Part 3: Supply LoadInfoArgs through the RemoteStreamGetter mechanism. r?#necko-reviewers!
48 bytes, text/x-phabricator-request
Details | Review
Bug 1354248 - Part 4: Make PageIconProtocolHandler use RemoteStreamGetter. r?nika!,mak!,ckerschb!,#necko-reviewers!
48 bytes, text/x-phabricator-request
Details | Review 
The page-icon protocol only works in a chrome privileged scope, would be nice to spec out the work needed to allow the page-icon protocol to be used in content space
Component: Bookmarks & History → Places
Depends on: 1283825
Product: Firefox → Toolkit
Yeah, here the questions are mostly about security. And I don't have answers, so we need someone from network and security to help us.

The protocol only hands-off image content types, and SVG documents. Currently those contents are local only (cached).
Priority: -- → P2
Whiteboard: [fxsearch]
(In reply to Marco Bonardo [::mak] from comment #1)
> Yeah, here the questions are mostly about security. And I don't have
> answers, so we need someone from network and security to help us.

Wennie, can someone on your team advise us here?
Flags: needinfo?(wleung)
Hi Jonathan:can you take a look at this? Thanks!
Flags: needinfo?(wleung) → needinfo?(jkt)
Wennie I actually don't think I am the right person to answer the security implications of exposing this protocol.

This is actually something we needed for containers in Bug 1315616 for extensions.

However we should restrict this protocol to web content being that it might expose the browsers history with the latency of cached icons. As it's not standards backed either it's another reason not to expose to the web.

Out of interest Ursula what use case do you envisage using this protocol for?

Dan is likely a better person to confirm the implications.
Flags: needinfo?(usarracini)
Flags: needinfo?(jkt)
Flags: needinfo?(dveditz)
potentially, we could just need to expose it to just a given whitelist of internal Firefox content pages.
This was filed so that Activity Stream could display icons while being unprivileged. Right now it uses data URIs to display favicons for things like top sites, but eventually we want to be able to use the page-icon protocol while also running in content.
Flags: needinfo?(usarracini)
Ah does it override about:newtab then.
We in containers basically guess at favicons for a similar use-case (although there is the annoyance of favicons from different containers too which I dunno how we should handle that). In our case we actually don't always have the favicon in the cache when the user loads the URL.
So Activity Stream doesn't actually "override" about:newtab, it just becomes the default about:newtab... aboutNewTabService.js finds outs if Activity Stream is enabled via a pref, and if so, lets about:newtab load Activity Stream's resource page instead of the other one. So it gets all the same behavior of the current about:newtab.
I spoke to Dan about this at the all hands and he seemed to think it was ok. If the icons were to be injected into web content we should check to see that a canvas element can't read in the URL so to prevent the page capturing history.

If the icons were just opened up to the new tab page we might be ok too. I don't think extensions have the ability to inject content scripts into the new tab page.


I still think it would be more useful to check the favicon store and if not present fetch the URL and get the icon this may actually reduce some of the privacy risk also.
Duh, bug 1385864. Ignore above.
I'm adding a "whitelisted" to the title, since I don't think it should be exposed globally. In particular, just fetching the favicon for a page, it would be possible to extrapolate the user's history.
Summary: Allow content to use page-icon protocol → Allow whitelisted content origins to use page-icon protocol
Blocks: 1425299
Priority: P2 → P3
Flags: needinfo?(dveditz)
Severity: normal → S4
Priority: P3 → P5

We jump through a variety of hoops to get favicons to show up in things like about:home / about:newtab. It looks like sometimes we work around this by using data URIs. If we were able to use the page-icon service from the privileged about content process, we could side-step most of that complexity and probably improve memory usage while we're at it (since each data URI is a potentially large string that each about:newtab will hold in memory).

Assignee: nobody → mconley
Summary: Allow whitelisted content origins to use page-icon protocol → Allow privileged about content process use page-icon protocol

See bug 1184701 for a similar effort where we made the page thumbnail protocol work from the privileged about content process.

See Also: → 1184701

Hey mak, any objections if I try to move this forward?

Flags: needinfo?(mak)

I think the only concern is related to security/privacy, that boils down to our isolation safety, since if a third party should get access to this data from content they could extract info about the user history. I don't think it's a major problem considered that would be a break of our privileged/unprivileged boundary with a lot more implications.

About the implementation, as pointed out on Matrix, it will likely require IPC because other processed can't read from db.

Flags: needinfo?(mak)

Hey nika,

I've just started setting up the boilerplate for getting the page-icon:// protocol to work from the privileged about content process. It's at the point where it compiles, but that's it - I haven't actually done the interesting part where I pass the stream from the parent process down to content. Apparently, you have some goodies in the works that might make this easier for me to do? Are there any examples I can look at?

Flags: needinfo?(nika)

We discussed the possibilities a bit on matrix, so clearing ni

Flags: needinfo?(nika)

Hey nika,

Thanks for all your help so far! So what I have in https://phabricator.services.mozilla.com/D145622 mostly works - I can get page-icon: URIs loading in the privileged about content process when they point at an existing favicon. Yay!

What doesn't appear to work is the failure case, when a favicon doesn't exist (if you, for example, request page-icon:https://www.page-does-not-exist.com), we fail to get the default icon streamed down to the content process. I'm not sure why that is...

I'm creating a Pipe and passing the nsIOutputStream along to the FaviconDataCallback thing to have the existing infrastructure write to, and then on the other side of the pipe, I'm using NS_AsyncCopy to copy the nsIInputStream down to the DataPipeSender. I'm not 100% sure why the Pipe is necessary - if I just pass the DataPipeSender to the FaviconDataCallback to write to, the content process doesn't seem to get it.

At any rate, in the failure case, when no favicon can be found, we go through some rigamarole to get the default favicon here: https://searchfox.org/mozilla-central/rev/390f7009e9e5a9585297aeea5fb9202f800eaf12/toolkit/components/places/PageIconProtocolHandler.cpp#57-104

My patch mostly keeps that the same except for making the nsCOMPtr<nsIChannel> a Maybe<nsCOMPtr<nsIChannel>>.

Any idea why the default favicon case isn't working? And is there a reason I need the Pipe and can't just ->Write into the DataPipeSender?

Flags: needinfo?(nika)

I left some comments in the phabricator revision, so clearing this needinfo

Flags: needinfo?(nika)
Attachment #9275258 - Attachment description: WIP: Bug 1354248 - Allow privileged about content process use page-icon protocol. r?valentin!,mak! → Bug 1354248 - Allow privileged about content process use page-icon protocol. r?nika!,ckerschb!,mak!
Attachment #9275258 - Attachment is obsolete: true
Attachment #9278193 - Attachment description: WIP: Bug 1354248 - Supply LoadInfoArgs stuff. → WIP: Bug 1354248 - Supply LoadInfoArgs through the RemoteStreamGetter mechanism. r?necko-reviewers!
Attachment #9278194 - Attachment description: WIP: Bug 1354248 - Part 3: Make PageIconProtocolHandler use RemoteStreamGetter. → WIP: Bug 1354248 - Part 4: Make PageIconProtocolHandler use RemoteStreamGetter. r?nika!,mak!,ckerschb!,necko-reviewers!
Attachment #9277950 - Attachment description: WIP: Bug 1354248 - Part 1: Split PageThumbStreamGetter into a common utility class. r?valentin! → WIP: Bug 1354248 - Part 1: Split PageThumbStreamGetter into a common utility class. r?necko-reviewers!
Attachment #9277951 - Attachment description: WIP: Bug 1354248 - Part 2: Abstract out the IPC message that RemoteStreamGetter uses. r?valentin! → WIP: Bug 1354248 - Part 2: Abstract out the IPC message that RemoteStreamGetter uses. r?necko-reviewers!
Attachment #9278193 - Attachment description: WIP: Bug 1354248 - Supply LoadInfoArgs through the RemoteStreamGetter mechanism. r?necko-reviewers! → WIP: Bug 1354248 - Part 3: Supply LoadInfoArgs through the RemoteStreamGetter mechanism. r?necko-reviewers!
Attachment #9277950 - Attachment description: WIP: Bug 1354248 - Part 1: Split PageThumbStreamGetter into a common utility class. r?necko-reviewers! → Bug 1354248 - Part 1: Split PageThumbStreamGetter into a common utility class. r?#necko-reviewers!
Attachment #9277951 - Attachment description: WIP: Bug 1354248 - Part 2: Abstract out the IPC message that RemoteStreamGetter uses. r?necko-reviewers! → Bug 1354248 - Part 2: Abstract out the IPC message that RemoteStreamGetter uses. r?#necko-reviewers!
Attachment #9278193 - Attachment description: WIP: Bug 1354248 - Part 3: Supply LoadInfoArgs through the RemoteStreamGetter mechanism. r?necko-reviewers! → Bug 1354248 - Part 3: Supply LoadInfoArgs through the RemoteStreamGetter mechanism. r?#necko-reviewers!
Attachment #9278194 - Attachment description: WIP: Bug 1354248 - Part 4: Make PageIconProtocolHandler use RemoteStreamGetter. r?nika!,mak!,ckerschb!,necko-reviewers! → Bug 1354248 - Part 4: Make PageIconProtocolHandler use RemoteStreamGetter. r?nika!,mak!,ckerschb!,#necko-reviewers!

ni?ing myself to send a message to firefox-dev about this capability once this lands and sticks.

Flags: needinfo?(mconley)
Pushed by mconley@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/0f60dbe1d87b
Part 1: Split PageThumbStreamGetter into a common utility class. r=necko-reviewers,kershaw
https://hg.mozilla.org/integration/autoland/rev/12c098c6d1a5
Part 2: Abstract out the IPC message that RemoteStreamGetter uses. r=necko-reviewers,kershaw
https://hg.mozilla.org/integration/autoland/rev/3bbdfa6e9b99
Part 3: Supply LoadInfoArgs through the RemoteStreamGetter mechanism. r=necko-reviewers,kershaw
https://hg.mozilla.org/integration/autoland/rev/2f3bf2d5f1a6
Part 4: Make PageIconProtocolHandler use RemoteStreamGetter. r=necko-reviewers,nika,mak,ckerschb,kershaw

Sent a message to firefox-dev: https://groups.google.com/g/firefox-dev/c/-FJSd_mbsNE

Flags: needinfo?(mconley)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: