Closed Bug 1438781 Opened 7 years ago Closed 5 years ago

Improve handling permission requests from null principal pages

Categories

(Firefox :: Site Permissions, enhancement, P2)

Product:
Firefox
Component:
Site Permissions
Version:
60 Branch
Type:
enhancement

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox60 --- affected

People

(Reporter: johannh, Unassigned)

References

Details

When we receive a permission request from e.g. a sandboxed iframe without allow-same-origin, we exhibit an incredibly bad behavior right now. The promise is just left dangling because we never end up showing a permission prompt because of https://searchfox.org/mozilla-central/rev/74b7ffee403c7ffd05b8b476c411cbf11d134eb9/browser/modules/PermissionUI.jsm#253 This doesn't happen for WebRTC prompts which have their own UI code, though we're considering/planning to disallow null-principals in bug 1371741 there. This can be tested on https://joo.crater.uberspace.de/frame-permissions.html (in the sandboxed permission.site) Chrome just throws a Security Exception in all these cases because they have implemented Feature Policy and sites can go around this by explicitly setting allow="geolocation". I would really love to have Feature Policy (https://github.com/mozilla/standards-positions/issues/24). We could do the same (throw a security exception), or use the documentURI of the page. Either way we should do something about this.
Summary: Improve handling permissions from null principal pages → Improve handling permission requests from null principal pages
Assignee: nobody → prathikshaprasadsuman
Status: NEW → ASSIGNED
Assignee: prathikshaprasadsuman → nobody
Status: ASSIGNED → NEW
Depends on: 1572461
Component: Site Identity → Site Permissions

We have Feature Policy and Permission Delegation now 🤝

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.