Closed
Bug 1439879
Opened 6 years ago
Closed 6 years ago
navigations that redirect from a controlled scope to uncontrolled scope do not clear their controller in e10s mode
Categories
(Core :: DOM: Service Workers, defect, P2)
Tracking
()
RESOLVED
FIXED
mozilla60
| Tracking | Status | |
|---|---|---|
| firefox-esr52 | --- | disabled |
| firefox58 | --- | unaffected |
| firefox59 | --- | unaffected |
| firefox60 | --- | fixed |
People
(Reporter: johnp, Assigned: bkelly)
References
Details
(Keywords: crash, csectype-sop, sec-critical)
Crash Data
Attachments
(1 file)
|
5.18 KB,
patch
|
asuth
:
review+
|
Details | Diff | Splinter Review |
+++ This bug was initially created as a clone of Bug #1433454 +++ Crash report bp-ce361a64-3475-42dc-b35c-1d4ef0180217 ============================================================= Top 10 frames of crashing thread: 0 libxul.so mozilla::dom::ClientSource::WindowExecutionReady(nsPIDOMWindowInner*) [clone .cold.182] 1 libxul.so nsGlobalWindowInner::ExecutionReady dom/base/nsGlobalWindowInner.cpp:1918 2 libxul.so nsGlobalWindowOuter::SetNewDocument(nsIDocument*, nsISupports*, bool) 3 libxul.so nsDocumentViewer::InitInternal(nsIWidget*, nsISupports*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, bool, bool, bool) 4 libxul.so nsDocumentViewer::Init layout/base/nsDocumentViewer.cpp:666 5 libxul.so nsDocShell::SetupNewViewer(nsIContentViewer*) 6 libxul.so nsDocShell::Embed(nsIContentViewer*, char const*, nsISupports*) 7 libxul.so nsDocShell::CreateContentViewer(nsTSubstring<char> const&, nsIRequest*, nsIStreamListener**) 8 libxul.so nsDSURIContentListener::DoContent(nsTSubstring<char> const&, bool, nsIRequest*, nsIStreamListener**, bool*) 9 libxul.so nsDocumentOpenInfo::TryContentListener(nsIURIContentListener*, nsIChannel*) 10 libxul.so nsDocumentOpenInfo::DispatchContent(nsIRequest*, nsISupports*) ============================================================= This crash happens on my profile in the tab that is opened, whenever I (left-)click outgoing YouTube links from video descriptions. Interestingly enough, it doesn't happen for outgoing twitter.com links, but every other outgoing link I've tried crashed. I cannot reproduce this on a fresh profile, even after adding some of my add-ons and changing preferences that I thought could be connected in accordance with my main profile. Logging into my google account also didn't help in trying to reproduce on the fresh profile.
|
Assignee | |
Comment 1•6 years ago
|
||
Can you please open "about:support" in the affected profile, copy to text, and then paste here? Thanks!
Flags: needinfo?(johnp)
|
Reporter | |
Comment 2•6 years ago
|
||
Application Basics ------------------ Name: Firefox Version: 60.0a1 Build ID: 20180221102240 Update Channel: nightly User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0 OS: Linux 4.15.3-300.fc27.x86_64 Multiprocess Windows: 1/1 (Enabled by default) Web Content Processes: 4/8 Stylo: content = true (enabled by default), chrome = true (enabled by default) Google Key: Found Mozilla Location Service Key: Found Safe Mode: false Crash Reports for the Last 3 Days --------------------------------- Report ID: bp-9ed69a7d-0af5-499f-894a-7d8100180221 Submitted: 5 hours ago Report ID: bp-33490c2b-642a-472c-b5ab-9fa610180221 Submitted: 6 hours ago Report ID: bp-5e4d12ba-669b-4269-835e-241500180221 Submitted: 6 hours ago Report ID: bp-e3050dfe-d8e0-4fc4-b107-8e9f00180221 Submitted: 6 hours ago All Crash Reports (including 1 pending crash in the given time range) Nightly Features ---------------- Name: Activity Stream Version: 2018.02.16.1222-a050adee ID: activity-stream@mozilla.org Name: Application Update Service Helper Version: 2.0 ID: aushelper@mozilla.org Name: Firefox Screenshots Version: 29.0.0 ID: screenshots@mozilla.org Name: Follow-on Search Telemetry Version: 0.9.6 ID: followonsearch@mozilla.com Name: Form Autofill Version: 1.0 ID: formautofill@mozilla.org Name: Photon onboarding Version: 1.0 ID: onboarding@mozilla.org Name: Pocket Version: 1.0.5 ID: firefox@getpocket.com Name: Presentation Version: 1.0.0 ID: presentation@mozilla.org Name: Shield Recipe Client Version: 83 ID: shield-recipe-client@mozilla.org Name: Web Compat Version: 1.1 ID: webcompat@mozilla.org Name: WebCompat Reporter Version: 1.0.0 ID: webcompat-reporter@mozilla.org Extensions ---------- Name: bitwarden - Free Password Manager Version: 1.24.0 Enabled: true ID: {446900e4-71c2-419f-a6a7-df9c091e268b} Name: BugzillaJS Version: 4.2.1 Enabled: true ID: jid0-NgMDcEu2B88AbzZ6ulHodW9sJzA@jetpack Name: CanvasBlocker Version: 0.4.4b Enabled: true ID: CanvasBlocker@kkapsner.de Name: Cookie AutoDelete Version: 2.1.2 Enabled: true ID: CookieAutoDelete@kennydo.com Name: Dark Mode Version: 0.2.3 Enabled: true ID: {174b2d58-b983-4501-ab4b-07e71203cb43} Name: Decentraleyes Version: 2.0.2 Enabled: true ID: jid1-BoFifL9Vbdl2zQ@jetpack Name: Dict.cc Translation Version: 5.3 Enabled: true ID: searchdictcc@roughael Name: Don't touch my tabs! (rel=noopener) Version: 1.0 Enabled: true ID: {6b938c0c-fc53-4f27-805f-619778631082} Name: DuckDuckGo Privacy Essentials Version: 2018.1.22beta Enabled: true ID: jid1-ZAdIEUB7XOzOJw@jetpack Name: Google search link fix Version: 1.6.6 Enabled: true ID: jid0-XWJxt5VvCXkKzQK99PhZqAn7Xbg@jetpack Name: Greasemonkey Version: 4.3beta4 Enabled: true ID: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} Name: HTTPS Everywhere Version: 2018.1.29 Enabled: true ID: https-everywhere-eff@eff.org Name: Iridium Version: 0.0.9 Enabled: true ID: iridium@particlecore.github.io Name: NoScript Version: 10.1.6.6rc2 Enabled: true ID: {73a6fe31-595d-460b-a920-fcc0f8843232} Name: OneTab Version: 1.25 Enabled: true ID: extension@one-tab.com Name: Open in Reader View Version: 0.2.0 Enabled: true ID: jid0-fgmjSq5kJtop0oO9u5hJj@jetpack Name: Racism Simulator Version: 1.3 Enabled: true ID: {24966bf9-1f0a-48b0-8745-7a02dc5ff345} Name: Reddit Enhancement Suite - Beta Version: 5.10.3beta Enabled: true ID: jid1-xUfzOsOFlzSOXg@jetpack Name: Snap Links Version: 3.1.1.3 Enabled: true ID: snaplinks@snaplinks.mozdev.org Name: uBlock Origin Version: 1.15.11b0 Enabled: true ID: uBlock0@raymondhill.net Name: Video Speed Controller Version: 0.4.9.4 Enabled: true ID: {7be2ba16-0f1e-4d93-9ebc-5164397477a9} Name: About Sync extension for Firefox Version: 0.0.19 Enabled: false ID: aboutsync@mhammond.github.com Name: Automatic Save Folder Version: 1.0.4.1-signed Enabled: false ID: asf@mangaheart.org Name: Cahoots Version: 1.2.0 Enabled: false ID: jid1-mQ1GT2z5DSpT9g@jetpack Name: Dark Background and Light Text Version: 0.6.8 Enabled: false ID: jid1-QoFqdK4qzUfGWQ@jetpack Name: Extension source viewer Version: 1.6.3 Enabled: false ID: crxviewer-firefox@robwu.nl Name: Firefox Lightbeam Version: 2.1.0 Enabled: false ID: jid1-F9UJ2thwoAm5gQ@jetpack Name: Flagfox Version: 6.0.1 Enabled: false ID: {1018e4d6-728f-4b20-ad56-37578a4de76b} Name: Forget that page Version: 1.6.0 Enabled: false ID: forgetthatpage@firefox Name: Honey Version: 10.6.4 Enabled: false ID: jid1-93CWPmRbVPjRQA@jetpack Name: LeechBlock NG Version: 0.9 Enabled: false ID: leechblockng@proginosko.com Name: Link Properties Plus Version: 1.6.2pre2 Enabled: false ID: linkPropertiesPlus@infocatcher Name: Nightly Tester Tools Version: 4.0pre20170912 Enabled: false ID: {8620c15f-30dc-4dba-a131-7c5d20cf4a29} Name: Print Edit WE Version: 21.4 Enabled: false ID: printedit-we@DW-dev Name: Self-Destructing Cookies Version: 0.4.12-pre1 Enabled: false ID: jid0-9XfBwUWnvPx4wWsfBWMCm4Jj69E@jetpack Name: Session Manager Version: 0.8.1.13pre20170130b Enabled: false ID: {1280606b-2510-4fe0-97ef-9b5a22eafe30} Name: SoundFixer Version: 1.0.1 Enabled: false ID: soundfixer@unrelenting.technology Name: Tab Mix Plus Version: 0.5.0.5pre.170827a2 Enabled: false ID: {dc572301-7619-498c-a57d-39143191b318} Name: Tab Mix WebExtension (experimental) Version: 0.0.1.1802021beta Enabled: false ID: webext@tabmixplus.org Name: Terms of Service; Didn’t Read Version: 0.6.2pre1 Enabled: false ID: jid0-3GUEt1r69sQNSrca5p8kx9Ezc3U@jetpack Name: Test Pilot Version: 2.0.7-dev-b9268d2 Enabled: false ID: @testpilot-addon Name: uBO-Scope Version: 0.1.10 Enabled: false ID: uBO-Scope@raymondhill.net Name: Wappalyzer Version: 5.4.8 Enabled: false ID: wappalyzer@crunchlabz.com Name: YouTube Plus Version: 1.9.6 Enabled: false ID: particle@particlecore.github.io Security Software ----------------- Type: Type: Type: Graphics -------- Features Compositing: OpenGL Asynchronous Pan/Zoom: wheel input enabled; scrollbar drag enabled; keyboard enabled; autoscroll enabled WebGL 1 Driver WSI Info: GLX 1.4 GLX_VENDOR(client): Mesa Project and SGI GLX_VENDOR(server): SGI Extensions: GLX_ARB_create_context GLX_ARB_create_context_profile GLX_ARB_create_context_robustness GLX_ARB_fbconfig_float GLX_ARB_framebuffer_sRGB GLX_ARB_get_proc_address GLX_ARB_multisample GLX_EXT_buffer_age GLX_EXT_create_context_es2_profile GLX_EXT_create_context_es_profile GLX_EXT_fbconfig_packed_float GLX_EXT_framebuffer_sRGB GLX_EXT_import_context GLX_EXT_texture_from_pixmap GLX_EXT_visual_info GLX_EXT_visual_rating GLX_INTEL_swap_event GLX_MESA_copy_sub_buffer GLX_MESA_multithread_makecurrent GLX_MESA_query_renderer GLX_MESA_swap_control GLX_OML_swap_method GLX_OML_sync_control GLX_SGIS_multisample GLX_SGIX_fbconfig GLX_SGIX_pbuffer GLX_SGIX_visual_select_group GLX_SGI_make_current_read GLX_SGI_swap_control GLX_SGI_video_sync WebGL 1 Driver Renderer: Intel Open Source Technology Center -- Mesa DRI Intel(R) Sandybridge Desktop WebGL 1 Driver Version: 3.0 Mesa 17.3.5 WebGL 1 Driver Extensions: GL_ARB_multisample GL_EXT_abgr GL_EXT_bgra GL_EXT_blend_color GL_EXT_blend_minmax GL_EXT_blend_subtract GL_EXT_copy_texture GL_EXT_polygon_offset GL_EXT_subtexture GL_EXT_texture_object GL_EXT_vertex_array GL_EXT_compiled_vertex_array GL_EXT_texture GL_EXT_texture3D GL_IBM_rasterpos_clip GL_ARB_point_parameters GL_EXT_draw_range_elements GL_EXT_packed_pixels GL_EXT_point_parameters GL_EXT_rescale_normal GL_EXT_separate_specular_color GL_EXT_texture_edge_clamp GL_SGIS_generate_mipmap GL_SGIS_texture_border_clamp GL_SGIS_texture_edge_clamp GL_SGIS_texture_lod GL_ARB_framebuffer_sRGB GL_ARB_multitexture GL_EXT_framebuffer_sRGB GL_IBM_multimode_draw_arrays GL_IBM_texture_mirrored_repeat GL_3DFX_texture_compression_FXT1 GL_ARB_texture_cube_map GL_ARB_texture_env_add GL_ARB_transpose_matrix GL_EXT_blend_func_separate GL_EXT_fog_coord GL_EXT_multi_draw_arrays GL_EXT_secondary_color GL_EXT_texture_env_add GL_EXT_texture_filter_anisotropic GL_EXT_texture_lod_bias GL_INGR_blend_func_separate GL_NV_blend_square GL_NV_light_max_exponent GL_NV_texgen_reflection GL_NV_texture_env_combine4 GL_S3_s3tc GL_SUN_multi_draw_arrays GL_ARB_texture_border_clamp GL_ARB_texture_compression GL_EXT_framebuffer_object GL_EXT_texture_compression_s3tc GL_EXT_texture_env_combine GL_EXT_texture_env_dot3 GL_MESA_window_pos GL_NV_packed_depth_stencil GL_NV_texture_rectangle GL_ARB_depth_texture GL_ARB_occlusion_query GL_ARB_shadow GL_ARB_texture_env_combine GL_ARB_texture_env_crossbar GL_ARB_texture_env_dot3 GL_ARB_texture_mirrored_repeat GL_ARB_window_pos GL_EXT_stencil_two_side GL_EXT_texture_cube_map GL_NV_depth_clamp GL_APPLE_packed_pixels GL_ARB_draw_buffers GL_ARB_fragment_program GL_ARB_fragment_shader GL_ARB_shader_objects GL_ARB_vertex_program GL_ARB_vertex_shader GL_ATI_draw_buffers GL_ATI_texture_env_combine3 GL_ATI_texture_float GL_EXT_shadow_funcs GL_EXT_stencil_wrap GL_MESA_pack_invert GL_NV_primitive_restart GL_ARB_depth_clamp GL_ARB_fragment_program_shadow GL_ARB_half_float_pixel GL_ARB_occlusion_query2 GL_ARB_point_sprite GL_ARB_shading_language_100 GL_ARB_sync GL_ARB_texture_non_power_of_two GL_ARB_vertex_buffer_object GL_ATI_blend_equation_separate GL_EXT_blend_equation_separate GL_OES_read_format GL_ARB_color_buffer_float GL_ARB_pixel_buffer_object GL_ARB_texture_compression_rgtc GL_ARB_texture_float GL_ARB_texture_rectangle GL_EXT_packed_float GL_EXT_pixel_buffer_object GL_EXT_texture_compression_dxt1 GL_EXT_texture_compression_rgtc GL_EXT_texture_rectangle GL_EXT_texture_sRGB GL_EXT_texture_shared_exponent GL_ARB_framebuffer_object GL_EXT_framebuffer_blit GL_EXT_framebuffer_multisample GL_EXT_packed_depth_stencil GL_APPLE_object_purgeable GL_ARB_vertex_array_object GL_ATI_separate_stencil GL_EXT_draw_buffers2 GL_EXT_draw_instanced GL_EXT_gpu_program_parameters GL_EXT_texture_array GL_EXT_texture_integer GL_EXT_texture_sRGB_decode GL_EXT_timer_query GL_OES_EGL_image GL_ARB_copy_buffer GL_ARB_depth_buffer_float GL_ARB_draw_instanced GL_ARB_half_float_vertex GL_ARB_instanced_arrays GL_ARB_map_buffer_range GL_ARB_texture_rg GL_ARB_texture_swizzle GL_ARB_vertex_array_bgra GL_EXT_texture_swizzle GL_EXT_vertex_array_bgra GL_NV_conditional_render GL_AMD_draw_buffers_blend GL_AMD_seamless_cubemap_per_texture GL_ARB_ES2_compatibility GL_ARB_blend_func_extended GL_ARB_debug_output GL_ARB_draw_buffers_blend GL_ARB_draw_elements_base_vertex GL_ARB_explicit_attrib_location GL_ARB_fragment_coord_conventions GL_ARB_provoking_vertex GL_ARB_sample_shading GL_ARB_sampler_objects GL_ARB_seamless_cube_map GL_ARB_shader_texture_lod GL_ARB_texture_cube_map_array GL_ARB_texture_gather GL_ARB_texture_multisample GL_ARB_texture_query_lod GL_ARB_texture_rgb10_a2ui GL_ARB_uniform_buffer_object GL_ARB_vertex_type_2_10_10_10_rev GL_EXT_provoking_vertex GL_EXT_texture_snorm GL_MESA_texture_signed_rgba GL_NV_texture_barrier GL_ARB_get_program_binary GL_ARB_robustness GL_ARB_separate_shader_objects GL_ARB_shader_bit_encoding GL_ARB_timer_query GL_ARB_transform_feedback2 GL_ANGLE_texture_compression_dxt3 GL_ANGLE_texture_compression_dxt5 GL_ARB_compressed_texture_pixel_storage GL_ARB_internalformat_query GL_ARB_map_buffer_alignment GL_ARB_shading_language_420pack GL_ARB_shading_language_packing GL_ARB_texture_storage GL_EXT_framebuffer_multisample_blit_scaled GL_EXT_transform_feedback GL_AMD_shader_trinary_minmax GL_ARB_ES3_compatibility GL_ARB_arrays_of_arrays GL_ARB_clear_buffer_object GL_ARB_copy_image GL_ARB_explicit_uniform_location GL_ARB_invalidate_subdata GL_ARB_program_interface_query GL_ARB_texture_query_levels GL_ARB_texture_storage_multisample GL_ARB_vertex_attrib_binding GL_KHR_debug GL_KHR_robustness GL_ARB_buffer_storage GL_ARB_clear_texture GL_ARB_internalformat_query2 GL_ARB_multi_bind GL_ARB_seamless_cubemap_per_texture GL_ARB_shader_draw_parameters GL_ARB_shader_group_vote GL_ARB_texture_mirror_clamp_to_edge GL_ARB_vertex_type_10f_11f_11f_rev GL_EXT_shader_integer_mix GL_INTEL_performance_query GL_ARB_clip_control GL_ARB_conditional_render_inverted GL_ARB_cull_distance GL_ARB_get_texture_sub_image GL_ARB_pipeline_statistics_query GL_ARB_texture_barrier GL_ARB_transform_feedback_overflow_query GL_EXT_polygon_offset_clamp GL_KHR_blend_equation_advanced GL_KHR_context_flush_control GL_KHR_no_error GL_MESA_shader_integer_functions GL_ARB_polygon_offset_clamp GL_ARB_texture_filter_anisotropic WebGL 1 Extensions: ANGLE_instanced_arrays EXT_blend_minmax EXT_color_buffer_half_float EXT_frag_depth EXT_sRGB EXT_shader_texture_lod EXT_texture_filter_anisotropic EXT_disjoint_timer_query OES_element_index_uint OES_standard_derivatives OES_texture_float OES_texture_float_linear OES_texture_half_float OES_texture_half_float_linear OES_vertex_array_object WEBGL_color_buffer_float WEBGL_compressed_texture_etc WEBGL_compressed_texture_s3tc WEBGL_compressed_texture_s3tc_srgb WEBGL_debug_renderer_info WEBGL_debug_shaders WEBGL_depth_texture WEBGL_draw_buffers WEBGL_lose_context WebGL 2 Driver WSI Info: GLX 1.4 GLX_VENDOR(client): Mesa Project and SGI GLX_VENDOR(server): SGI Extensions: GLX_ARB_create_context GLX_ARB_create_context_profile GLX_ARB_create_context_robustness GLX_ARB_fbconfig_float GLX_ARB_framebuffer_sRGB GLX_ARB_get_proc_address GLX_ARB_multisample GLX_EXT_buffer_age GLX_EXT_create_context_es2_profile GLX_EXT_create_context_es_profile GLX_EXT_fbconfig_packed_float GLX_EXT_framebuffer_sRGB GLX_EXT_import_context GLX_EXT_texture_from_pixmap GLX_EXT_visual_info GLX_EXT_visual_rating GLX_INTEL_swap_event GLX_MESA_copy_sub_buffer GLX_MESA_multithread_makecurrent GLX_MESA_query_renderer GLX_MESA_swap_control GLX_OML_swap_method GLX_OML_sync_control GLX_SGIS_multisample GLX_SGIX_fbconfig GLX_SGIX_pbuffer GLX_SGIX_visual_select_group GLX_SGI_make_current_read GLX_SGI_swap_control GLX_SGI_video_sync WebGL 2 Driver Renderer: Intel Open Source Technology Center -- Mesa DRI Intel(R) Sandybridge Desktop WebGL 2 Driver Version: 3.3 (Core Profile) Mesa 17.3.5 WebGL 2 Driver Extensions: GL_3DFX_texture_compression_FXT1 GL_AMD_draw_buffers_blend GL_AMD_seamless_cubemap_per_texture GL_AMD_shader_trinary_minmax GL_AMD_vertex_shader_layer GL_AMD_vertex_shader_viewport_index GL_ANGLE_texture_compression_dxt3 GL_ANGLE_texture_compression_dxt5 GL_APPLE_object_purgeable GL_ARB_ES2_compatibility GL_ARB_ES3_compatibility GL_ARB_arrays_of_arrays GL_ARB_base_instance GL_ARB_blend_func_extended GL_ARB_buffer_storage GL_ARB_clear_buffer_object GL_ARB_clear_texture GL_ARB_clip_control GL_ARB_compressed_texture_pixel_storage GL_ARB_conditional_render_inverted GL_ARB_copy_buffer GL_ARB_copy_image GL_ARB_cull_distance GL_ARB_debug_output GL_ARB_depth_buffer_float GL_ARB_depth_clamp GL_ARB_direct_state_access GL_ARB_draw_buffers GL_ARB_draw_buffers_blend GL_ARB_draw_elements_base_vertex GL_ARB_draw_instanced GL_ARB_enhanced_layouts GL_ARB_explicit_attrib_location GL_ARB_explicit_uniform_location GL_ARB_fragment_coord_conventions GL_ARB_fragment_layer_viewport GL_ARB_fragment_shader GL_ARB_framebuffer_object GL_ARB_framebuffer_sRGB GL_ARB_get_program_binary GL_ARB_get_texture_sub_image GL_ARB_half_float_pixel GL_ARB_half_float_vertex GL_ARB_instanced_arrays GL_ARB_internalformat_query GL_ARB_internalformat_query2 GL_ARB_invalidate_subdata GL_ARB_map_buffer_alignment GL_ARB_map_buffer_range GL_ARB_multi_bind GL_ARB_occlusion_query2 GL_ARB_pipeline_statistics_query GL_ARB_pixel_buffer_object GL_ARB_point_sprite GL_ARB_polygon_offset_clamp GL_ARB_program_interface_query GL_ARB_provoking_vertex GL_ARB_robustness GL_ARB_sample_shading GL_ARB_sampler_objects GL_ARB_seamless_cube_map GL_ARB_seamless_cubemap_per_texture GL_ARB_separate_shader_objects GL_ARB_shader_bit_encoding GL_ARB_shader_draw_parameters GL_ARB_shader_group_vote GL_ARB_shader_objects GL_ARB_shader_subroutine GL_ARB_shader_texture_lod GL_ARB_shader_viewport_layer_array GL_ARB_shading_language_420pack GL_ARB_shading_language_packing GL_ARB_sync GL_ARB_texture_barrier GL_ARB_texture_buffer_object GL_ARB_texture_buffer_object_rgb32 GL_ARB_texture_buffer_range GL_ARB_texture_compression_rgtc GL_ARB_texture_cube_map_array GL_ARB_texture_filter_anisotropic GL_ARB_texture_float GL_ARB_texture_gather GL_ARB_texture_mirror_clamp_to_edge GL_ARB_texture_multisample GL_ARB_texture_non_power_of_two GL_ARB_texture_query_levels GL_ARB_texture_query_lod GL_ARB_texture_rectangle GL_ARB_texture_rg GL_ARB_texture_rgb10_a2ui GL_ARB_texture_storage GL_ARB_texture_storage_multisample GL_ARB_texture_swizzle GL_ARB_timer_query GL_ARB_transform_feedback2 GL_ARB_transform_feedback_overflow_query GL_ARB_uniform_buffer_object GL_ARB_vertex_array_bgra GL_ARB_vertex_array_object GL_ARB_vertex_attrib_binding GL_ARB_vertex_shader GL_ARB_vertex_type_10f_11f_11f_rev GL_ARB_vertex_type_2_10_10_10_rev GL_ARB_viewport_array GL_ATI_blend_equation_separate GL_ATI_texture_float GL_EXT_abgr GL_EXT_blend_equation_separate GL_EXT_draw_buffers2 GL_EXT_draw_instanced GL_EXT_framebuffer_blit GL_EXT_framebuffer_multisample GL_EXT_framebuffer_multisample_blit_scaled GL_EXT_framebuffer_sRGB GL_EXT_packed_depth_stencil GL_EXT_packed_float GL_EXT_pixel_buffer_object GL_EXT_polygon_offset_clamp GL_EXT_provoking_vertex GL_EXT_shader_integer_mix GL_EXT_texture_array GL_EXT_texture_compression_dxt1 GL_EXT_texture_compression_rgtc GL_EXT_texture_compression_s3tc GL_EXT_texture_filter_anisotropic GL_EXT_texture_integer GL_EXT_texture_sRGB GL_EXT_texture_sRGB_decode GL_EXT_texture_shared_exponent GL_EXT_texture_snorm GL_EXT_texture_swizzle GL_EXT_timer_query GL_EXT_transform_feedback GL_EXT_vertex_array_bgra GL_IBM_multimode_draw_arrays GL_INTEL_performance_query GL_KHR_blend_equation_advanced GL_KHR_context_flush_control GL_KHR_debug GL_KHR_no_error GL_KHR_robustness GL_MESA_pack_invert GL_MESA_shader_integer_functions GL_MESA_texture_signed_rgba GL_NV_conditional_render GL_NV_depth_clamp GL_NV_packed_depth_stencil GL_NV_texture_barrier GL_OES_EGL_image GL_S3_s3tc WebGL 2 Extensions: EXT_color_buffer_float EXT_texture_filter_anisotropic EXT_disjoint_timer_query OES_texture_float_linear WEBGL_compressed_texture_etc WEBGL_compressed_texture_s3tc WEBGL_compressed_texture_s3tc_srgb WEBGL_debug_renderer_info WEBGL_debug_shaders WEBGL_lose_context GPU #1 Active: Yes Description: Intel Open Source Technology Center -- Mesa DRI Intel(R) Sandybridge Desktop Vendor ID: Intel Open Source Technology Center Device ID: Mesa DRI Intel(R) Sandybridge Desktop Driver Version: 3.0 Mesa 17.3.5 Diagnostics AzureCanvasAccelerated: 0 AzureCanvasBackend: skia AzureContentBackend: skia AzureFallbackCanvasBackend: none CairoUseXRender: 0 Device Reset: Trigger Device Reset Decision Log HW_COMPOSITING: blocked by default: Acceleration blocked by platform force_enabled by user: Force-enabled by pref OPENGL_COMPOSITING: force_enabled by user: Force-enabled by pref WEBRENDER: opt-in by default: WebRender is an opt-in feature OMTP: disabled by default: Disabled by default Media ----- Audio Backend: remote Max Channels: 2 Preferred Channel Layout: stereo Preferred Sample Rate: 48000 Output Devices Name: Group Built-in Audio: /devices/pci0000:00/0000:00:1b.0/sound/card0 Input Devices Name: Group Monitor of Built-in Audio: Important Modified Preferences ------------------------------ accessibility.accesskeycausesactivation: false accessibility.browsewithcaret_shortcut.enabled: false accessibility.typeaheadfind.flashBar: 0 browser.cache.disk.capacity: 358400 browser.cache.disk.filesystem_reported: 1 browser.cache.disk.hashstats_reported: 1 browser.cache.disk.smart_size.first_run: false browser.cache.disk.smart_size.use_old_max: false browser.cache.frecency_experiment: 4 browser.cache.memory.max_entry_size: 10240 browser.download.useDownloadDir: false browser.places.smartBookmarksVersion: 8 browser.search.update: false browser.search.useDBForOrder: true browser.sessionstore.max_windows_undo: 4 browser.sessionstore.upgradeBackup.latestBuildID: 20180221102240 browser.startup.homepage_override.buildID: 20180221102240 browser.startup.homepage_override.mstone: 60.0a1 browser.tabs.closeWindowWithLastTab: false browser.tabs.remote.warmup.enabled: true browser.tabs.tabMinWidth: 70 browser.urlbar.clickSelectsAll: true browser.urlbar.maxRichResults: 12 browser.urlbar.suggest.searches: false browser.urlbar.trimURLs: false dom.apps.lastUpdate.buildID: 20160725030248 dom.apps.lastUpdate.mstone: 50.0a1 dom.apps.reset-permissions: true dom.battery.enabled: false dom.experimental_forms: true dom.forms.autocomplete.formautofill: true dom.gamepad-extensions.enabled: false dom.gamepad.enabled: false dom.ipc.plugins.flash.subprocess.crashreporter.enabled: false dom.ipc.processCount: 8 dom.mozApps.used: true dom.push.userAgentID: e7fb3f8b83994ce090e85886171418a8 dom.vr.enabled: false dom.vr.oculus.enabled: false dom.webcomponents.customelements.enabled: false extensions.lastAppVersion: 60.0a1 font.internaluseonly.changed: false general.autoScroll: true gfx.crash-guard.status.glcontext: 2 image.mem.max_decoded_image_kb: 384000 javascript.options.asyncstack: false layers.acceleration.force-enabled: true media.autoplay.enabled: false media.autoplay.enabled.user-gestures-needed: true media.getusermedia.screensharing.allowed_domains: media.getusermedia.screensharing.enabled: false media.gmp-eme-adobe.enabled: false media.gmp-gmpopenh264.abi: x86_64-gcc3 media.gmp-gmpopenh264.lastUpdate: 1509908686 media.gmp-gmpopenh264.version: 1.7.1 media.gmp-manager.buildID: 20180221102240 media.gmp-manager.lastCheck: 1519219440 media.gmp.storage.version.observed: 1 media.peerconnection.ice.proxy_only: true media.webrtc.debug.log_file: /tmp/WebRTC.log mousewheel.acceleration.start: 3 mousewheel.default.action.override_x: 2 mousewheel.default.delta_multiplier_x: -100 mousewheel.system_scroll_override_on_root_content.enabled: true mousewheel.system_scroll_override_on_root_content.vertical.factor: 250 network.cookie.cookieBehavior: 3 network.cookie.lifetimePolicy: 2 network.cookie.prefsMigrated: true network.cookie.thirdparty.sessionOnly: true network.dns.disablePrefetch: true network.http.referer.spoofSource: true network.http.referer.trimmingPolicy: 1 network.http.referer.XOriginPolicy: 1 network.http.speculative-parallel-limit: 0 network.IDN_show_punycode: true network.predictor.cleaned-up: true network.predictor.enabled: false network.prefetch-next: false network.tcp.tcp_fastopen_enable: true places.database.lastMaintenance: 1518898423 places.history.expiration.transient_current_max_pages: 167199 plugin.default.state: 0 plugin.disable_full_page_plugin_for_types: application/pdf plugin.importedState: true plugin.state.java: 0 plugin.state.npatgpc: 0 plugin.state.npbispbrowser: 0 plugin.state.npesteid-firefox-plugin: 0 plugins.enumerable_names: print.print_bgcolor: false print.print_bgimages: false print.print_duplex: 0 print.print_evenpages: true print.print_footerleft: print.print_footerright: print.print_headerleft: print.print_headerright: print.print_margin_bottom: 0.5 print.print_margin_left: 0.5 print.print_margin_right: 0.5 print.print_margin_top: 0.5 print.print_oddpages: true print.print_orientation: 0 print.print_paper_data: 0 print.print_paper_height: 11.00 print.print_paper_name: iso_a4 print.print_paper_size_type: 1 print.print_paper_size_unit: 0 print.print_paper_width: 8.00 print.print_resolution: 600 print.print_scaling: 1.00 print.print_shrink_to_fit: true print.print_to_file: false print.print_unwriteable_margin_bottom: 56 print.print_unwriteable_margin_left: 25 print.print_unwriteable_margin_right: 25 print.print_unwriteable_margin_top: 25 privacy.cpd.cache: false privacy.cpd.cookies: false privacy.cpd.extensions-sessionmanager: false privacy.cpd.extensions-tabmix: false privacy.cpd.sessions: false privacy.donottrackheader.enabled: true privacy.history.custom: true privacy.resistFingerprinting: true privacy.sanitize.migrateClearSavedPwdsOnExit: true privacy.sanitize.migrateFx3Prefs: true privacy.trackingprotection.enabled: true privacy.trackingprotection.introCount: 20 privacy.userContext.extension: CookieAutoDelete@kennydo.com security.cert_pinning.enforcement_level: 2 security.csp.experimentalEnabled: true security.dialog_enable_delay: 400 security.disable_button.openCertManager: false security.disable_button.openDeviceManager: false security.insecure_connection_icon.enabled: true security.notification_enable_delay: 300 security.pki.sha1_enforcement_level: 1 security.sandbox.content.tempDirSuffix: 0d54f4a9-e02e-48ae-a278-50531ed8fcd3 security.ssl.treat_unsafe_negotiation_as_broken: true services.sync.declinedEngines: passwords,addons services.sync.engine.addons: false services.sync.engine.addresses.available: true services.sync.engine.bookmarks.validation.lastTime: 1519158898 services.sync.engine.creditcards.available: true services.sync.engine.greasemonkey: true services.sync.engine.passwords: false services.sync.engine.prefs.modified: false services.sync.engine.reqpolsync: false services.sync.engine.stylishsync: false services.sync.lastPing: 1519158896 services.sync.lastSync: Wed Feb 21 2018 18:05:19 GMT+0000 (UTC) services.sync.numClients: 3 storage.vacuum.last.index: 1 storage.vacuum.last.places.sqlite: 1516878661 Important Locked Preferences ---------------------------- Places Database --------------- JavaScript ---------- Incremental GC: true Accessibility ------------- Activated: false Prevent Accessibility: 0 Library Versions ---------------- NSPR Expected minimum version: 4.18 Version in use: 4.18 NSS Expected minimum version: 3.36 Beta Version in use: 3.36 Beta NSSSMIME Expected minimum version: 3.36 Beta Version in use: 3.36 Beta NSSSSL Expected minimum version: 3.36 Beta Version in use: 3.36 Beta NSSUTIL Expected minimum version: 3.36 Beta Version in use: 3.36 Beta Experimental Features --------------------- Sandbox ------- Seccomp-BPF (System Call Filtering): true Seccomp Thread Synchronization: true User Namespaces: true Content Process Sandboxing: true Media Plugin Sandboxing: true Content Process Sandbox Level: 4 Effective Content Process Sandbox Level: 4 Rejected System Calls --------------------- Internationalization & Localization ----------------------------------- Application Settings Requested Locales: ["en-US"] Available Locales: ["en-US"] App Locales: ["en-US"] Regional Preferences: ["en-US"] Default Locale: "en-US" Operating System System Locales: ["en-US"] Regional Preferences: ["en-US"]
Flags: needinfo?(johnp)
|
|
Assignee | |
Comment 3•6 years ago
|
||
Thanks. Can you try safe mode to see if it helps? https://support.mozilla.org/en-US/kb/troubleshoot-firefox-issues-using-safe-mode Trying to isolate if its an addon or a preference. Sorry for having so many things to check.
Flags: needinfo?(johnp)
|
|
Reporter | |
Comment 4•6 years ago
|
||
Still happens in safe mode: bp-8e85e176-280b-4e88-93b2-590150180221
Flags: needinfo?(johnp)
|
|
Assignee | |
Comment 5•6 years ago
|
||
Hmm. We also have a way to set permissions on a per-site basis. Can you go to: Menu -> Options -> Privacy & Security -> History Change the combobox from "Remember History" to "Use custom settings for history". Then click the "Exceptions..." button. This should bring up a dialog that lists sites with overridden permissions. Do you have any per-site permissions in there?
Flags: needinfo?(johnp)
|
|
Assignee | |
Comment 6•6 years ago
|
||
Although these prefs might be enough to somehow trigger this: network.cookie.cookieBehavior: 3 network.cookie.lifetimePolicy: 2
|
|
Assignee | |
Comment 7•6 years ago
|
||
Also, can you provide me a link to the youtube page you are using to trigger this? Are you logged in on youtube?
|
|
Reporter | |
Comment 8•6 years ago
|
||
I already use custom settings and I have dozens of sites in there. http(s)://youtube.com are "Allow first party only". I'm logged in on youtube and reproduce e.g. with https://www.youtube.com/watch?v=9o-77YQ1Rcc expand description and click on the http://ShopDeFranco.com link -> new tab opens and immediately crashes.
Flags: needinfo?(johnp)
|
|
Assignee | |
Comment 9•6 years ago
|
||
Interesting. I'll have to do some research. I don't see a way from the UI to set "Allow first party only" for a site. But I do see we have support for displaying it.
|
|
Assignee | |
Comment 10•6 years ago
|
||
I think I can write a test to try to provoke this using SpecialPower.pushPermissions passing ACCESS_ALLOW_FIRST_PARTY_ONLY. I'll probably need to look at that another day, though. It would be interesting to know if the crash goes away if you clear that one permission. Of course, I don't know how to add the permission back if you do that.
Assignee: nobody → bkelly
Status: NEW → ASSIGNED
Flags: needinfo?(bkelly)
|
|
Reporter | |
Comment 11•6 years ago
|
||
Yes, the crash has gone away once I removed the youtube exceptions. Not sure how this was initially set, probably by some add-on.
|
|
Assignee | |
Comment 12•6 years ago
|
||
I can reproduce on youtube. Its a combination of: 1. Setting cookie options to "Keep until I close" 2. AND having "Allow first party only" for youtube I had to manually hack the permissions.sqlite file to get "Allow first party only".
|
|
Assignee | |
Comment 13•6 years ago
|
||
It seems when we have this permission set for a site we ignore the "keep until I close" setting that is browser-wide: https://searchfox.org/mozilla-central/rev/47cb352984bac15c476dcd75f8360f902673cb98/dom/base/nsContentUtils.cpp#9028 This allows us to get a service worker on youtube.com when most sites won't have a service worker because of the "keep until I close". Then when youtube does its weird redirect thing we must be hitting an unexpected path that inherits the service worker early, but then later sees it shouldn't have it because of the global "keep until I close" setting.
|
|
Assignee | |
Comment 14•6 years ago
|
||
Johnathon, this bug is triggering a diagnostic assertion when the browser is configured as described in comment 12. I'm trying to figure out the best way to deal with this. One approach would be to remove the support for "Allow first party only" permission. We could migrate profiles that currently use it to ACCEPT or just default back to the global setting. AFAICT we don't expose "Allow first party only" in the UI any more and we don't have many tests that set it. If we're not going to actively support the feature, maybe it would be best to remove it for now. Alternatively, I could add a test that uses it and try to figure out a workaround for the problem. I can do this, but I have a hard time justifying it if "Allow first party only" is not really going to be used. Do know our plans for "Allow first party only" permission? What do you think about removing it for now?
Flags: needinfo?(jkt)
|
||
Comment 15•6 years ago
|
||
I don't think we have any plans to remove this UI right now. Dan might know more about the area of code to comment on the crash.
Flags: needinfo?(jkt) → needinfo?(dveditz)
|
||
Comment 16•6 years ago
|
||
When was the "Allow first party only" added to the exceptions UI? And when was it removed from visibility? Was it part of the first-party-isolation project, or something else? I'm not sure who would know the answers to these questions, so needinfo'ing a bunch of people.
Flags: needinfo?(tom)
Flags: needinfo?(jhofmann)
Flags: needinfo?(francois)
|
|
||
Comment 17•6 years ago
|
||
Looks like it's not anything Tom ni for as it came in from Monica in 2013: https://bugzilla.mozilla.org/attachment.cgi?id=720868&action=diff
Flags: needinfo?(tom)
|
||
Comment 18•6 years ago
|
||
Support for this at the DB level was added in bug 770691 and UI for it landed in bug 770705 but it went away when about:permissions was removed.
Flags: needinfo?(francois)
|
|
Assignee | |
Comment 19•6 years ago
|
||
(In reply to Jonathan Kingston [:jkt] from comment #15) > I don't think we have any plans to remove this UI right now. There is no way to set it in the UI today. I had to hack the permissions.sqlite to even get a browser to try to use this feature. I assume it was exposed via a legacy addon or previous UI in the past, though. The crash is specific to assertions I added for storage and service workers. We don't have good test coverage of this feature in general, partly because we don't let anyone set it normally.
|
|
Assignee | |
Comment 20•6 years ago
|
||
(In reply to François Marier [:francois] from comment #18) > Support for this at the DB level was added in bug 770691 and UI for it > landed in bug 770705 but it went away when about:permissions was removed. And it looks like about:permissions was removed two years ago in bug 933917.
Flags: needinfo?(bkelly)
|
||
Comment 21•6 years ago
|
||
(In reply to Ben Kelly [:bkelly] from comment #13) > It seems when we have this permission set for a site we ignore the "keep > until I close" setting that is browser-wide: Any explicit setting for a site--whether that's block, allow, allow-for-session, or allow-first-party-only--overrides the browser-wide cookie setting. Allow-first-party-only is a setting we'd like to support but we've been frustrated by changing front end UI. I would guess the security team agrees with annevk in bug 933917 comment 3 that removing about:permissions should have been WONTFIXed until there was a replacement. It was considered "OK" to do because you could manipulate permissions through the site identity panel, but then that got revamped since such that you really can't anymore. You can clear non-default settings but not otherwise change cookie settings there. We do have plans to add UI support for this to the cookie exceptions dialog you can reach from about:preferences, it's just pretty far down the Security team's list. In any case, I can reproduce this crash by setting youtube cookies to "Allow" and the global setting to save cookies until I quit. This is easily accomplished with our existing UI and is a common setting: clear out the cruft on shutdown but stay logged in to sites you use all the time. These are the settings I use, in fact, with "Allow" for gmail and bugzilla cookies rather than youtube.
Flags: needinfo?(dveditz)
|
||
Comment 22•6 years ago
|
||
I think it's all been said, we might add this to the cookie exceptions, but it's not an immediate plan.
Flags: needinfo?(jhofmann)
|
|
Assignee | |
Comment 23•6 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #21) > We do have plans to add UI support for this to the cookie exceptions dialog > you can reach from about:preferences, it's just pretty far down the Security > team's list. Is there a bug on file for this? Even if its not being worked now, it might be nice to have it open to signal the intent to keep it. Right now this feature seems pretty well abandoned by looking at the code in the tree. > In any case, I can reproduce this crash by setting youtube cookies to > "Allow" and the global setting to save cookies until I quit. This is easily > accomplished with our existing UI and is a common setting: clear out the > cruft on shutdown but stay logged in to sites you use all the time. These > are the settings I use, in fact, with "Allow" for gmail and bugzilla cookies > rather than youtube. Ah, thanks. I will focus on this use case then. Sorry for getting side tracked on the unusual permission setting.
|
|
Assignee | |
Comment 24•6 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #21) > Any explicit setting for a site--whether that's block, allow, > allow-for-session, or allow-first-party-only--overrides the browser-wide > cookie setting. Also, I just want to say that having the global setting vary on two dimensions: * Accept/Block/Block Foreign * Keep until expire/browser closed And then having the override only be a single value: * Accept/Block/Keep until closed Is really weird and confusing.
|
|
Assignee | |
Comment 25•6 years ago
|
||
The assertion was added in bug 1425975 so this affects FF59. Note, however, the assertion only fires in nightly and dev-edition builds. In Release and beta we will not crash, but some sites may be covered by a service worker even though the user has configured things to block storage.
Blocks: 1425975
status-firefox58:
--- → unaffected
status-firefox59:
--- → affected
status-firefox-esr52:
--- → disabled
|
|
Assignee | |
Comment 26•6 years ago
|
||
Investigating a potential security issue here.
Group: core-security
|
|
Assignee | |
Comment 27•6 years ago
|
||
I'm doing some instrumentation at the point of the assertion: ### ### [0x7f0fc7171a00] ClientSource::WindowExecutionReady origin:https://teespring.com current: new:https://teespring.com/stores/defranco-top-sellers controller:https://www.youtube.com/ Assertion failure: nsContentUtils::StorageAllowedForWindow(aInnerWindow) == nsContentUtils::StorageAccess::eAllow, at /srv/mozilla-central/dom/clients/manager/ClientSource.cpp:272 This shows that the service worker controller is for a different origin than the window. This is very bad. I need to investigate further how its happening.
|
|
Assignee | |
Comment 28•6 years ago
|
||
In nightly 60 I am able to follow the steps in comment 8. With default cookie prefs this does not crash. But using the console you can see that the teespring.com site ends up controlled by the youtube service worker. Fortunately it does not occur in FF58 or FF59.
|
|
Assignee | |
Comment 29•6 years ago
|
||
I have a theory about what is happening here. My guess is: 1. Youtube is opening a page on its origin and gets its service worker 2. YT then does document.open() to the target cross-origin site 3. This creates a new inner window and ClientSource 4. The channel that loads the new document is created with nsIContentPolicy::TYPE_OTHER and the original caller document as its node. 5. We then set the original caller document's service worker controller on the load info because we think its a subresource load here: https://searchfox.org/mozilla-central/rev/bd05e3853c6e982e2a35c1cc404b987b2bc914d6/netwerk/base/LoadInfo.cpp#135-142 6. This results in the old controller being propagated to the new document incorrectly. I will need to confirm this tomorrow. Christoph, do you know why document.open() is being loaded with nsIContentPolicy::TYPE_OTHER()? This seems a bit wrong to me. It was added in bug 1038756. Ideally I'd like to make document.open() use TYPE_DOCUMENT. If that is not good for some reason, maybe we could make a TYPE_INTERNAL_DOCUMENTOPEN. I will also be adding some new diagnostic asserts to prevent this kind of mismatch in the future.
Flags: needinfo?(ckerschb)
|
|
Assignee | |
Comment 30•6 years ago
|
||
TYPE_OTHER is being set for document.open() here: https://searchfox.org/mozilla-central/rev/bd05e3853c6e982e2a35c1cc404b987b2bc914d6/dom/html/nsHTMLDocument.cpp#1493
|
||
Comment 31•6 years ago
|
||
(In reply to Ben Kelly [:bkelly] from comment #29) > Christoph, do you know why document.open() is being loaded with > nsIContentPolicy::TYPE_OTHER()? This seems a bit wrong to me. It was added > in bug 1038756. I couldn't find a specific reason why we would load window.open() with TYPE_OTHER instead of TYPE_DOCUMENT. I agree that we should change that to make sure window.open is loaded with TYPE_DOCUMENT and if that is not possible for any reason, I would agree to adding TYPE_DOCUMENT_INTERNAL or something that then resolves to TYPE_DOCUMENT. I think that was not intentional and I couldn't find any reason by browsing through Bug 1038756. Is it possible that this channel does not do the actual load for window.open() but rather the docshell is performing that? The only thing I don't understand is the following. If we are really loading window.open() with TYPE_OTHER and a regular webpage would use a strict CSP using default-src 'none' then opening the window would be blocked by CSP because TYPE_OTHER is governed by default-src. It seems we don't have any CSP test exercising that hence I created Bug 1440582 to write some tests for that scenario.
Flags: needinfo?(ckerschb)
|
|
Assignee | |
Comment 32•6 years ago
|
||
Thanks for digging into it. Just to clarify, this is about document.open() and not window.open(). I believe they take different code paths.
|
|
Assignee | |
Comment 33•6 years ago
|
||
I've tried some initial testing this morning and I don't think its as simple as comment 29 suggests. The TYPE_OTHER channel is not for a URL load. Its for a document.open() without a URL. Sorry for the confusion.
|
|
Assignee | |
Comment 34•6 years ago
|
||
Upon further investigation this is actually fallout from bug 1431847. When a document load occurs the controlling ServiceWorkerDescriptor will get added to the LoadInfo by ServiceWorkerManager. If a redirect occurs, though, we clear this controller in ClientChannelHelper. This ensures that we will lookup the next possible matching ServiceWorkerDescriptor on the redirect. In bug 1431847 I started adding support to perform service worker interception in the parent. This involves serializing the controlling ServiceWorkerDescriptor from child-to-parent and then back from parent-to-child. There is a bug, however, in that we only add the ClientChannelHelper in the child process. So redirects on the parent do not get the controller cleared properly. We'll need to fix this, but in theory it should not have been a major problem since this entire parent-side intercept is disabled behind a pref. The problem, however, is that the code to copy ServiceWorkerDescriptor from parent-to-child is performed regardless of pref. And with the controller being cleared on redirect only on the child, this code was reapplying the controller from the parent each time. The quick fix here is to disable the parent-to-child controller copying when the pref is disabled.
|
|
Assignee | |
Comment 35•6 years ago
|
||
Marking this sec-critical since its a same-origin policy bypass. This only effects nightly 60.
Keywords: sec-critical
|
|
Assignee | |
Comment 36•6 years ago
|
||
Note we have a test that covers this situation: https://searchfox.org/mozilla-central/source/testing/web-platform/tests/service-workers/service-worker/navigation-redirect.https.html We didn't catch the problem because: 1. The test does not explicitly check if the resulting iframe is controlled. 2. We do not have assertions catching the cross-origin controller. 3. The test does not use the non-standard cookie prefs, so we did not trigger the crash reported in this bug. I filed bug 1440705 to add the assertions in (2). I will look at possibly enhancing the test for (1) as well, but not in this bug.
|
|
Assignee | |
Updated•6 years ago
|
Component: DOM → DOM: Service Workers
Summary: Crash [@ mozilla::dom::ClientSource::WindowExecutionReady ] on outgoing YouTube description links → navigations that redirect from a controlled scope to uncontrolled scope do not clear their controller in e10s mode
|
|
Assignee | |
Comment 37•6 years ago
|
||
I have confirmed locally that the assertions I have in mind for bug 1440705 do catch this problem on navigation-redirect.https.html. I have also confirmed adding the additional preference checks also fix the problem. Patch coming here shortly.
|
|
Assignee | |
Comment 38•6 years ago
|
||
|
|
Assignee | |
Comment 39•6 years ago
|
||
Comment on attachment 8953527 [details] [diff] [review] Add some more SW preference checks to e10s http channel code. r=asuth Andrew, this patch wraps all of the code that passes the controller from parent-to-child in checks for ServiceWorkerParentInterceptEnabled().
Attachment #8953527 -
Flags: review?(bugmail)
|
|
Assignee | |
Comment 40•6 years ago
|
||
Comment on attachment 8953527 [details] [diff] [review] Add some more SW preference checks to e10s http channel code. r=asuth This is not reviewed yet, but I'm flagging now since I will be mostly out this afternoon. [Security approval request comment] How easily could an exploit be constructed based on the patch? I think moderately difficult. Its not obviously about redirects, but does point to service workers and networking. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? I don't think so. Its clearly closing some behavior off related to e10s networking, but its unclear about the effect and that a redirect is needed. Which older supported branches are affected by this flaw? None. This was introduced in bug 1431847 which is only on ff60 trunk. If not all supported branches, which bug introduced the flaw? Bug 1431847. Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? N/A How likely is this patch to cause regressions; how much testing does it need? Minimal risk. Its disabling code that behind a pref that is default off. Before adding the pref this code did not exist. I have run tests locally against the patch, but I have not done a try push.
Attachment #8953527 -
Flags: sec-approval?
|
||
Comment 41•6 years ago
|
||
Comment on attachment 8953527 [details] [diff] [review] Add some more SW preference checks to e10s http channel code. r=asuth Review of attachment 8953527 [details] [diff] [review]: ----------------------------------------------------------------- This makes sense in the context of the excellent comment 34, thank you.
Attachment #8953527 -
Flags: review?(bugmail) → review+
|
|
Assignee | |
Comment 42•6 years ago
|
||
Comment on attachment 8953527 [details] [diff] [review] Add some more SW preference checks to e10s http channel code. r=asuth Actually, looking at the sec bug approval process: https://wiki.mozilla.org/Security/Bug_Approval_Process#Process_for_Security_Bugs I don't think I need sec-approval here. I think this bug meets the conditions for case B. We know what caused this, it does not affect other branches, and we have not shipped the problem on anything other than nightly.
Attachment #8953527 -
Flags: sec-approval?
|
|
Assignee | |
Comment 43•6 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/481fcece2fc719f516cf542478d6be63bc89badd
|
||
Comment 44•6 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/481fcece2fc7
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla60
|
|
||
Updated•6 years ago
|
Group: core-security → core-security-release
|
|
||
Updated•6 years ago
|
Group: core-security-release
|
||
Updated•5 years ago
|
Keywords: csectype-sop
You need to log in
before you can comment on or make changes to this bug.
Description
•