Closed Bug 1410364 Opened 7 years ago Closed 7 years ago

opener shouldn't be used when deciding if a webpage is a secure context

Categories

(Core :: DOM: Security, enhancement, P1)

Product:
Core
Component:
DOM: Security
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla59
Tracking Flags:
Tracking Status
firefox59 --- fixed

People

(Reporter: jkt, Assigned: kmckinley)

References

(Blocks 1 open bug,
URL
)

Details

(Whiteboard: [domsecurity-active])

Attachments

(1 file, 6 obsolete files)

Always ignore the window opener when calculating secure context
18.49 KB, patch
kmckinley
: review+
Details | Diff | Splinter Review 
Given the recent change in the specification: https://github.com/w3c/webappsec-secure-contexts/issues/42 we should follow suit to remove the risk of breaking websites.

We should change our implementation of isSecureContext to our implementation of isSecureContextIfOpenerIgnored and remove the relevant code.
Assignee: nobody → kmckinley
Priority: -- → P1
Whiteboard: [domsecurity-active]

        Attachment #8925823 -
        Flags: review?(dveditz)

        Attachment #8925823 -
        Flags: review?(bzbarsky)

    
    

    
  
Comment on attachment 8925823 [details] [diff] [review]
Always ignore the window opener when calculating secure context

Review of attachment 8925823 [details] [diff] [review]:
-----------------------------------------------------------------

::: toolkit/components/passwordmgr/test/browser/browser_http_autofill.js
@@ +22,2 @@
>  add_task(async function test_http_autofill() {
>    for (let scheme of ["http", "https"]) {

Did you intend to keep this test commented out? We normally don't land commented-out code.

        Attachment #8925823 -
        Flags: feedback-

    
    

    
  
Comment on attachment 8925823 [details] [diff] [review]
Always ignore the window opener when calculating secure context

>+++ b/testing/web-platform/meta/secure-contexts/basic-popup-and-iframe-tests.html.ini

Please pull in https://github.com/w3c/web-platform-tests/commit/dd83f891b80aa9b05e5fe35d1680e53c6a435b07 instead, since that already exists.  If you just land it on our side as part of your changes, the merge with upstream will be a no-op and everything will be happy without us losing test coverage at any point.

>+++ b/toolkit/components/passwordmgr/test/browser/browser.ini
>+  form_cross_origin_insecure_action.html

This file is not in the diff, nor is it used by anything in the patch.  Why this change?

> +++ b/toolkit/components/passwordmgr/test/browser/browser_http_autofill.js

Please either just remove the commented-out code if it's no longer needed or document clearly why it's commented out.

The code changes look awesome, but r- for the test issues.

        Attachment #8925823 -
        Flags: review?(bzbarsky) → review-

    
    

    
  
Comment on attachment 8925823 [details] [diff] [review]
Always ignore the window opener when calculating secure context

Review of attachment 8925823 [details] [diff] [review]:
-----------------------------------------------------------------

Took a quick skim and it looks good, but I'll wait to r+ the next version bz asked for.

        Attachment #8925823 -
        Flags: review?(dveditz)

    
    

    
  


  
Fixed the issues from comments 2 and 3.

The reason I added form_cross_origin_insecure_action.html to browser.ini is that when I ran the tests locally as a single test, it wasn't copied over, so that portion of the test would fail. I moved it over specifically to under toolkit/components/passwordmgr/test/browser/browser_http_autofill.js so that the dependency is more clear.

try run:
https://treeherder.mozilla.org/#/jobs?repo=try&revision=2287184bc2286c34b70efa26ea5dab6e4001a853

        Attachment #8925823 -
        Attachment is obsolete: true

        Attachment #8928361 -
        Flags: review?(dveditz)

        Attachment #8928361 -
        Flags: review?(bzbarsky)

        Attachment #8928361 -
        Flags: feedback?(MattN+bmo)

    
    

    
  
Comment on attachment 8928361 [details] [diff] [review]
Always ignore the window opener when calculating secure context

>+support-files =
>+  form_cross_origin_insecure_action.html

Ah, thank you for explaining what's going on here.

This test (browser_http_autofill.js) also needs form_cross_origin_secure_action.html as a support file, right?  Do you mind adding it here as well?

r=me

        Attachment #8928361 -
        Flags: review?(bzbarsky) → review+
Status: NEW → ASSIGNED

    
    

    
  
Comment on attachment 8928361 [details] [diff] [review]
Always ignore the window opener when calculating secure context

Review of attachment 8928361 [details] [diff] [review]:
-----------------------------------------------------------------

Thank you very much for cleaning this up Kate!

        Attachment #8928361 -
        Flags: feedback?(MattN+bmo) → feedback+

    
    

    
  
Comment on attachment 8928360 [details] [diff] [review]
Pull over the secure context test changes from Mike West

Review of attachment 8928360 [details] [diff] [review]:
-----------------------------------------------------------------

Awesome, great stuff!

        Attachment #8928360 -
        Flags: review?(ckerschb) → review+

    
    

    
  
Comment on attachment 8928361 [details] [diff] [review]
Always ignore the window opener when calculating secure context

Review of attachment 8928361 [details] [diff] [review]:
-----------------------------------------------------------------

r=dveditz

        Attachment #8928361 -
        Flags: review?(dveditz) → review+

    
    

    
  


  

        Attachment #8928360 -
        Attachment is obsolete: true

        Attachment #8930586 -
        Flags: review+
Keywords: checkin-needed

    
    

    
  
Comment on attachment 8930586 [details] [diff] [review]
Pull over the secure context test changes from Mike West

This already landed by way of bug 1419296.

        Attachment #8930586 -
        Attachment is obsolete: true

    
    

    
  
Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/681fece780ae
Don't consider opener when calculating IsSecureContext. r=bz, r=dveditz
Keywords: checkin-needed

    
    

    
  


  
1) Rebased
2) Remove .ini file for Web Platform Tests

https://treeherder.mozilla.org/#/jobs?repo=try&revision=163f63df2ba0eabae218a5ce6921c5936d22f7b1

Will mark as checkin-needed when tests finish

        Attachment #8930591 -
        Attachment is obsolete: true
Flags: needinfo?(kmckinley)

        Attachment #8932190 -
        Flags: review+

    
    

    
  


  
Rebased to current

        Attachment #8932190 -
        Attachment is obsolete: true

        Attachment #8933003 -
        Flags: review+
Keywords: checkin-needed

    
    

    
  
Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/6784a27f54ff
Don't consider opener when calculating IsSecureContext. r=bz, r=dveditz
Keywords: checkin-needed

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/6784a27f54ff
Status: ASSIGNED → RESOLVED
Closed: 7 years ago

          status-firefox59:
          --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla59

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: