Closed Bug 1439879 Opened 5 years ago Closed 5 years ago

navigations that redirect from a controlled scope to uncontrolled scope do not clear their controller in e10s mode

Categories

(Core :: DOM: Service Workers, defect, P2)

Product:
Core
Component:
DOM: Service Workers
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla60
Tracking Flags:
Tracking Status
firefox-esr52 --- disabled
firefox58 --- unaffected
firefox59 --- unaffected
firefox60 --- fixed

People

(Reporter: johnp, Assigned: bkelly)

References

Details

(Keywords: crash, csectype-sop, sec-critical)

Crash Data

Attachments

(1 file)

Add some more SW preference checks to e10s http channel code. r=asuth
5.18 KB, patch
asuth
: review+
Details | Diff | Splinter Review 
+++ This bug was initially created as a clone of Bug #1433454 +++

Crash report bp-ce361a64-3475-42dc-b35c-1d4ef0180217
=============================================================

Top 10 frames of crashing thread:

0 	libxul.so 	mozilla::dom::ClientSource::WindowExecutionReady(nsPIDOMWindowInner*) [clone .cold.182] 
1 	libxul.so 	nsGlobalWindowInner::ExecutionReady 	dom/base/nsGlobalWindowInner.cpp:1918
2 	libxul.so 	nsGlobalWindowOuter::SetNewDocument(nsIDocument*, nsISupports*, bool)
3 	libxul.so 	nsDocumentViewer::InitInternal(nsIWidget*, nsISupports*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, bool, bool, bool)
4 	libxul.so 	nsDocumentViewer::Init 	layout/base/nsDocumentViewer.cpp:666
5 	libxul.so 	nsDocShell::SetupNewViewer(nsIContentViewer*)
6 	libxul.so 	nsDocShell::Embed(nsIContentViewer*, char const*, nsISupports*)
7 	libxul.so 	nsDocShell::CreateContentViewer(nsTSubstring<char> const&, nsIRequest*, nsIStreamListener**)
8 	libxul.so 	nsDSURIContentListener::DoContent(nsTSubstring<char> const&, bool, nsIRequest*, nsIStreamListener**, bool*)
9 	libxul.so nsDocumentOpenInfo::TryContentListener(nsIURIContentListener*, nsIChannel*)
10 	libxul.so 	nsDocumentOpenInfo::DispatchContent(nsIRequest*, nsISupports*)

=============================================================

This crash happens on my profile in the tab that is opened, whenever I (left-)click outgoing YouTube links from video descriptions. Interestingly enough, it doesn't happen for outgoing twitter.com links, but every other outgoing link I've tried crashed.

I cannot reproduce this on a fresh profile, even after adding some of my add-ons and changing preferences that I thought could be connected in accordance with my main profile. Logging into my google account also didn't help in trying to reproduce on the fresh profile.
Can you please open "about:support" in the affected profile, copy to text, and then paste here?  Thanks!
Flags: needinfo?(johnp)
Application Basics
------------------

Name: Firefox
Version: 60.0a1
Build ID: 20180221102240
Update Channel: nightly
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0
OS: Linux 4.15.3-300.fc27.x86_64
Multiprocess Windows: 1/1 (Enabled by default)
Web Content Processes: 4/8
Stylo: content = true (enabled by default), chrome = true (enabled by default)
Google Key: Found
Mozilla Location Service Key: Found
Safe Mode: false

Crash Reports for the Last 3 Days
---------------------------------

Report ID: bp-9ed69a7d-0af5-499f-894a-7d8100180221
Submitted: 5 hours ago

Report ID: bp-33490c2b-642a-472c-b5ab-9fa610180221
Submitted: 6 hours ago

Report ID: bp-5e4d12ba-669b-4269-835e-241500180221
Submitted: 6 hours ago

Report ID: bp-e3050dfe-d8e0-4fc4-b107-8e9f00180221
Submitted: 6 hours ago

All Crash Reports (including 1 pending crash in the given time range)

Nightly Features
----------------

Name: Activity Stream
Version: 2018.02.16.1222-a050adee
ID: activity-stream@mozilla.org

Name: Application Update Service Helper
Version: 2.0
ID: aushelper@mozilla.org

Name: Firefox Screenshots
Version: 29.0.0
ID: screenshots@mozilla.org

Name: Follow-on Search Telemetry
Version: 0.9.6
ID: followonsearch@mozilla.com

Name: Form Autofill
Version: 1.0
ID: formautofill@mozilla.org

Name: Photon onboarding
Version: 1.0
ID: onboarding@mozilla.org

Name: Pocket
Version: 1.0.5
ID: firefox@getpocket.com

Name: Presentation
Version: 1.0.0
ID: presentation@mozilla.org

Name: Shield Recipe Client
Version: 83
ID: shield-recipe-client@mozilla.org

Name: Web Compat
Version: 1.1
ID: webcompat@mozilla.org

Name: WebCompat Reporter
Version: 1.0.0
ID: webcompat-reporter@mozilla.org

Extensions
----------

Name: bitwarden - Free Password Manager
Version: 1.24.0
Enabled: true
ID: {446900e4-71c2-419f-a6a7-df9c091e268b}

Name: BugzillaJS
Version: 4.2.1
Enabled: true
ID: jid0-NgMDcEu2B88AbzZ6ulHodW9sJzA@jetpack

Name: CanvasBlocker
Version: 0.4.4b
Enabled: true
ID: CanvasBlocker@kkapsner.de

Name: Cookie AutoDelete
Version: 2.1.2
Enabled: true
ID: CookieAutoDelete@kennydo.com

Name: Dark Mode
Version: 0.2.3
Enabled: true
ID: {174b2d58-b983-4501-ab4b-07e71203cb43}

Name: Decentraleyes
Version: 2.0.2
Enabled: true
ID: jid1-BoFifL9Vbdl2zQ@jetpack

Name: Dict.cc Translation
Version: 5.3
Enabled: true
ID: searchdictcc@roughael

Name: Don't touch my tabs! (rel=noopener)
Version: 1.0
Enabled: true
ID: {6b938c0c-fc53-4f27-805f-619778631082}

Name: DuckDuckGo Privacy Essentials
Version: 2018.1.22beta
Enabled: true
ID: jid1-ZAdIEUB7XOzOJw@jetpack

Name: Google search link fix
Version: 1.6.6
Enabled: true
ID: jid0-XWJxt5VvCXkKzQK99PhZqAn7Xbg@jetpack

Name: Greasemonkey
Version: 4.3beta4
Enabled: true
ID: {e4a8a97b-f2ed-450b-b12d-ee082ba24781}

Name: HTTPS Everywhere
Version: 2018.1.29
Enabled: true
ID: https-everywhere-eff@eff.org

Name: Iridium
Version: 0.0.9
Enabled: true
ID: iridium@particlecore.github.io

Name: NoScript
Version: 10.1.6.6rc2
Enabled: true
ID: {73a6fe31-595d-460b-a920-fcc0f8843232}

Name: OneTab
Version: 1.25
Enabled: true
ID: extension@one-tab.com

Name: Open in Reader View
Version: 0.2.0
Enabled: true
ID: jid0-fgmjSq5kJtop0oO9u5hJj@jetpack

Name: Racism Simulator
Version: 1.3
Enabled: true
ID: {24966bf9-1f0a-48b0-8745-7a02dc5ff345}

Name: Reddit Enhancement Suite - Beta
Version: 5.10.3beta
Enabled: true
ID: jid1-xUfzOsOFlzSOXg@jetpack

Name: Snap Links
Version: 3.1.1.3
Enabled: true
ID: snaplinks@snaplinks.mozdev.org

Name: uBlock Origin
Version: 1.15.11b0
Enabled: true
ID: uBlock0@raymondhill.net

Name: Video Speed Controller
Version: 0.4.9.4
Enabled: true
ID: {7be2ba16-0f1e-4d93-9ebc-5164397477a9}

Name: About Sync extension for Firefox
Version: 0.0.19
Enabled: false
ID: aboutsync@mhammond.github.com

Name: Automatic Save Folder
Version: 1.0.4.1-signed
Enabled: false
ID: asf@mangaheart.org

Name: Cahoots
Version: 1.2.0
Enabled: false
ID: jid1-mQ1GT2z5DSpT9g@jetpack

Name: Dark Background and Light Text
Version: 0.6.8
Enabled: false
ID: jid1-QoFqdK4qzUfGWQ@jetpack

Name: Extension source viewer
Version: 1.6.3
Enabled: false
ID: crxviewer-firefox@robwu.nl

Name: Firefox Lightbeam
Version: 2.1.0
Enabled: false
ID: jid1-F9UJ2thwoAm5gQ@jetpack

Name: Flagfox
Version: 6.0.1
Enabled: false
ID: {1018e4d6-728f-4b20-ad56-37578a4de76b}

Name: Forget that page
Version: 1.6.0
Enabled: false
ID: forgetthatpage@firefox

Name: Honey
Version: 10.6.4
Enabled: false
ID: jid1-93CWPmRbVPjRQA@jetpack

Name: LeechBlock NG
Version: 0.9
Enabled: false
ID: leechblockng@proginosko.com

Name: Link Properties Plus
Version: 1.6.2pre2
Enabled: false
ID: linkPropertiesPlus@infocatcher

Name: Nightly Tester Tools
Version: 4.0pre20170912
Enabled: false
ID: {8620c15f-30dc-4dba-a131-7c5d20cf4a29}

Name: Print Edit WE
Version: 21.4
Enabled: false
ID: printedit-we@DW-dev

Name: Self-Destructing Cookies
Version: 0.4.12-pre1
Enabled: false
ID: jid0-9XfBwUWnvPx4wWsfBWMCm4Jj69E@jetpack

Name: Session Manager
Version: 0.8.1.13pre20170130b
Enabled: false
ID: {1280606b-2510-4fe0-97ef-9b5a22eafe30}

Name: SoundFixer
Version: 1.0.1
Enabled: false
ID: soundfixer@unrelenting.technology

Name: Tab Mix Plus
Version: 0.5.0.5pre.170827a2
Enabled: false
ID: {dc572301-7619-498c-a57d-39143191b318}

Name: Tab Mix WebExtension (experimental)
Version: 0.0.1.1802021beta
Enabled: false
ID: webext@tabmixplus.org

Name: Terms of Service; Didn’t Read
Version: 0.6.2pre1
Enabled: false
ID: jid0-3GUEt1r69sQNSrca5p8kx9Ezc3U@jetpack

Name: Test Pilot
Version: 2.0.7-dev-b9268d2
Enabled: false
ID: @testpilot-addon

Name: uBO-Scope
Version: 0.1.10
Enabled: false
ID: uBO-Scope@raymondhill.net

Name: Wappalyzer
Version: 5.4.8
Enabled: false
ID: wappalyzer@crunchlabz.com

Name: YouTube Plus
Version: 1.9.6
Enabled: false
ID: particle@particlecore.github.io

Security Software
----------------- Type:

Type:

Type:

Graphics
--------

Features
Compositing: OpenGL
Asynchronous Pan/Zoom: wheel input enabled; scrollbar drag enabled; keyboard enabled; autoscroll enabled
WebGL 1 Driver WSI Info: GLX 1.4 GLX_VENDOR(client): Mesa Project and SGI GLX_VENDOR(server): SGI Extensions: GLX_ARB_create_context GLX_ARB_create_context_profile GLX_ARB_create_context_robustness GLX_ARB_fbconfig_float GLX_ARB_framebuffer_sRGB GLX_ARB_get_proc_address GLX_ARB_multisample GLX_EXT_buffer_age GLX_EXT_create_context_es2_profile GLX_EXT_create_context_es_profile GLX_EXT_fbconfig_packed_float GLX_EXT_framebuffer_sRGB GLX_EXT_import_context GLX_EXT_texture_from_pixmap GLX_EXT_visual_info GLX_EXT_visual_rating GLX_INTEL_swap_event GLX_MESA_copy_sub_buffer GLX_MESA_multithread_makecurrent GLX_MESA_query_renderer GLX_MESA_swap_control GLX_OML_swap_method GLX_OML_sync_control GLX_SGIS_multisample GLX_SGIX_fbconfig GLX_SGIX_pbuffer GLX_SGIX_visual_select_group GLX_SGI_make_current_read GLX_SGI_swap_control GLX_SGI_video_sync
WebGL 1 Driver Renderer: Intel Open Source Technology Center -- Mesa DRI Intel(R) Sandybridge Desktop
WebGL 1 Driver Version: 3.0 Mesa 17.3.5
WebGL 1 Driver Extensions: GL_ARB_multisample GL_EXT_abgr GL_EXT_bgra GL_EXT_blend_color GL_EXT_blend_minmax GL_EXT_blend_subtract GL_EXT_copy_texture GL_EXT_polygon_offset GL_EXT_subtexture GL_EXT_texture_object GL_EXT_vertex_array GL_EXT_compiled_vertex_array GL_EXT_texture GL_EXT_texture3D GL_IBM_rasterpos_clip GL_ARB_point_parameters GL_EXT_draw_range_elements GL_EXT_packed_pixels GL_EXT_point_parameters GL_EXT_rescale_normal GL_EXT_separate_specular_color GL_EXT_texture_edge_clamp GL_SGIS_generate_mipmap GL_SGIS_texture_border_clamp GL_SGIS_texture_edge_clamp GL_SGIS_texture_lod GL_ARB_framebuffer_sRGB GL_ARB_multitexture GL_EXT_framebuffer_sRGB GL_IBM_multimode_draw_arrays GL_IBM_texture_mirrored_repeat GL_3DFX_texture_compression_FXT1 GL_ARB_texture_cube_map GL_ARB_texture_env_add GL_ARB_transpose_matrix GL_EXT_blend_func_separate GL_EXT_fog_coord GL_EXT_multi_draw_arrays GL_EXT_secondary_color GL_EXT_texture_env_add GL_EXT_texture_filter_anisotropic GL_EXT_texture_lod_bias GL_INGR_blend_func_separate GL_NV_blend_square GL_NV_light_max_exponent GL_NV_texgen_reflection GL_NV_texture_env_combine4 GL_S3_s3tc GL_SUN_multi_draw_arrays GL_ARB_texture_border_clamp GL_ARB_texture_compression GL_EXT_framebuffer_object GL_EXT_texture_compression_s3tc GL_EXT_texture_env_combine GL_EXT_texture_env_dot3 GL_MESA_window_pos GL_NV_packed_depth_stencil GL_NV_texture_rectangle GL_ARB_depth_texture GL_ARB_occlusion_query GL_ARB_shadow GL_ARB_texture_env_combine GL_ARB_texture_env_crossbar GL_ARB_texture_env_dot3 GL_ARB_texture_mirrored_repeat GL_ARB_window_pos GL_EXT_stencil_two_side GL_EXT_texture_cube_map GL_NV_depth_clamp GL_APPLE_packed_pixels GL_ARB_draw_buffers GL_ARB_fragment_program GL_ARB_fragment_shader GL_ARB_shader_objects GL_ARB_vertex_program GL_ARB_vertex_shader GL_ATI_draw_buffers GL_ATI_texture_env_combine3 GL_ATI_texture_float GL_EXT_shadow_funcs GL_EXT_stencil_wrap GL_MESA_pack_invert GL_NV_primitive_restart GL_ARB_depth_clamp GL_ARB_fragment_program_shadow GL_ARB_half_float_pixel GL_ARB_occlusion_query2 GL_ARB_point_sprite GL_ARB_shading_language_100 GL_ARB_sync GL_ARB_texture_non_power_of_two GL_ARB_vertex_buffer_object GL_ATI_blend_equation_separate GL_EXT_blend_equation_separate GL_OES_read_format GL_ARB_color_buffer_float GL_ARB_pixel_buffer_object GL_ARB_texture_compression_rgtc GL_ARB_texture_float GL_ARB_texture_rectangle GL_EXT_packed_float GL_EXT_pixel_buffer_object GL_EXT_texture_compression_dxt1 GL_EXT_texture_compression_rgtc GL_EXT_texture_rectangle GL_EXT_texture_sRGB GL_EXT_texture_shared_exponent GL_ARB_framebuffer_object GL_EXT_framebuffer_blit GL_EXT_framebuffer_multisample GL_EXT_packed_depth_stencil GL_APPLE_object_purgeable GL_ARB_vertex_array_object GL_ATI_separate_stencil GL_EXT_draw_buffers2 GL_EXT_draw_instanced GL_EXT_gpu_program_parameters GL_EXT_texture_array GL_EXT_texture_integer GL_EXT_texture_sRGB_decode GL_EXT_timer_query GL_OES_EGL_image GL_ARB_copy_buffer GL_ARB_depth_buffer_float GL_ARB_draw_instanced GL_ARB_half_float_vertex GL_ARB_instanced_arrays GL_ARB_map_buffer_range GL_ARB_texture_rg GL_ARB_texture_swizzle GL_ARB_vertex_array_bgra GL_EXT_texture_swizzle GL_EXT_vertex_array_bgra GL_NV_conditional_render GL_AMD_draw_buffers_blend GL_AMD_seamless_cubemap_per_texture GL_ARB_ES2_compatibility GL_ARB_blend_func_extended GL_ARB_debug_output GL_ARB_draw_buffers_blend GL_ARB_draw_elements_base_vertex GL_ARB_explicit_attrib_location GL_ARB_fragment_coord_conventions GL_ARB_provoking_vertex GL_ARB_sample_shading GL_ARB_sampler_objects GL_ARB_seamless_cube_map GL_ARB_shader_texture_lod GL_ARB_texture_cube_map_array GL_ARB_texture_gather GL_ARB_texture_multisample GL_ARB_texture_query_lod GL_ARB_texture_rgb10_a2ui GL_ARB_uniform_buffer_object GL_ARB_vertex_type_2_10_10_10_rev GL_EXT_provoking_vertex GL_EXT_texture_snorm GL_MESA_texture_signed_rgba GL_NV_texture_barrier GL_ARB_get_program_binary GL_ARB_robustness GL_ARB_separate_shader_objects GL_ARB_shader_bit_encoding GL_ARB_timer_query GL_ARB_transform_feedback2 GL_ANGLE_texture_compression_dxt3 GL_ANGLE_texture_compression_dxt5 GL_ARB_compressed_texture_pixel_storage GL_ARB_internalformat_query GL_ARB_map_buffer_alignment GL_ARB_shading_language_420pack GL_ARB_shading_language_packing GL_ARB_texture_storage GL_EXT_framebuffer_multisample_blit_scaled GL_EXT_transform_feedback GL_AMD_shader_trinary_minmax GL_ARB_ES3_compatibility GL_ARB_arrays_of_arrays GL_ARB_clear_buffer_object GL_ARB_copy_image GL_ARB_explicit_uniform_location GL_ARB_invalidate_subdata GL_ARB_program_interface_query GL_ARB_texture_query_levels GL_ARB_texture_storage_multisample GL_ARB_vertex_attrib_binding GL_KHR_debug GL_KHR_robustness GL_ARB_buffer_storage GL_ARB_clear_texture GL_ARB_internalformat_query2 GL_ARB_multi_bind GL_ARB_seamless_cubemap_per_texture GL_ARB_shader_draw_parameters GL_ARB_shader_group_vote GL_ARB_texture_mirror_clamp_to_edge GL_ARB_vertex_type_10f_11f_11f_rev GL_EXT_shader_integer_mix GL_INTEL_performance_query GL_ARB_clip_control GL_ARB_conditional_render_inverted GL_ARB_cull_distance GL_ARB_get_texture_sub_image GL_ARB_pipeline_statistics_query GL_ARB_texture_barrier GL_ARB_transform_feedback_overflow_query GL_EXT_polygon_offset_clamp GL_KHR_blend_equation_advanced GL_KHR_context_flush_control GL_KHR_no_error GL_MESA_shader_integer_functions GL_ARB_polygon_offset_clamp GL_ARB_texture_filter_anisotropic
WebGL 1 Extensions: ANGLE_instanced_arrays EXT_blend_minmax EXT_color_buffer_half_float EXT_frag_depth EXT_sRGB EXT_shader_texture_lod EXT_texture_filter_anisotropic EXT_disjoint_timer_query OES_element_index_uint OES_standard_derivatives OES_texture_float OES_texture_float_linear OES_texture_half_float OES_texture_half_float_linear OES_vertex_array_object WEBGL_color_buffer_float WEBGL_compressed_texture_etc WEBGL_compressed_texture_s3tc WEBGL_compressed_texture_s3tc_srgb WEBGL_debug_renderer_info WEBGL_debug_shaders WEBGL_depth_texture WEBGL_draw_buffers WEBGL_lose_context
WebGL 2 Driver WSI Info: GLX 1.4 GLX_VENDOR(client): Mesa Project and SGI GLX_VENDOR(server): SGI Extensions: GLX_ARB_create_context GLX_ARB_create_context_profile GLX_ARB_create_context_robustness GLX_ARB_fbconfig_float GLX_ARB_framebuffer_sRGB GLX_ARB_get_proc_address GLX_ARB_multisample GLX_EXT_buffer_age GLX_EXT_create_context_es2_profile GLX_EXT_create_context_es_profile GLX_EXT_fbconfig_packed_float GLX_EXT_framebuffer_sRGB GLX_EXT_import_context GLX_EXT_texture_from_pixmap GLX_EXT_visual_info GLX_EXT_visual_rating GLX_INTEL_swap_event GLX_MESA_copy_sub_buffer GLX_MESA_multithread_makecurrent GLX_MESA_query_renderer GLX_MESA_swap_control GLX_OML_swap_method GLX_OML_sync_control GLX_SGIS_multisample GLX_SGIX_fbconfig GLX_SGIX_pbuffer GLX_SGIX_visual_select_group GLX_SGI_make_current_read GLX_SGI_swap_control GLX_SGI_video_sync
WebGL 2 Driver Renderer: Intel Open Source Technology Center -- Mesa DRI Intel(R) Sandybridge Desktop
WebGL 2 Driver Version: 3.3 (Core Profile) Mesa 17.3.5
WebGL 2 Driver Extensions: GL_3DFX_texture_compression_FXT1 GL_AMD_draw_buffers_blend GL_AMD_seamless_cubemap_per_texture GL_AMD_shader_trinary_minmax GL_AMD_vertex_shader_layer GL_AMD_vertex_shader_viewport_index GL_ANGLE_texture_compression_dxt3 GL_ANGLE_texture_compression_dxt5 GL_APPLE_object_purgeable GL_ARB_ES2_compatibility GL_ARB_ES3_compatibility GL_ARB_arrays_of_arrays GL_ARB_base_instance GL_ARB_blend_func_extended GL_ARB_buffer_storage GL_ARB_clear_buffer_object GL_ARB_clear_texture GL_ARB_clip_control GL_ARB_compressed_texture_pixel_storage GL_ARB_conditional_render_inverted GL_ARB_copy_buffer GL_ARB_copy_image GL_ARB_cull_distance GL_ARB_debug_output GL_ARB_depth_buffer_float GL_ARB_depth_clamp GL_ARB_direct_state_access GL_ARB_draw_buffers GL_ARB_draw_buffers_blend GL_ARB_draw_elements_base_vertex GL_ARB_draw_instanced GL_ARB_enhanced_layouts GL_ARB_explicit_attrib_location GL_ARB_explicit_uniform_location GL_ARB_fragment_coord_conventions GL_ARB_fragment_layer_viewport GL_ARB_fragment_shader GL_ARB_framebuffer_object GL_ARB_framebuffer_sRGB GL_ARB_get_program_binary GL_ARB_get_texture_sub_image GL_ARB_half_float_pixel GL_ARB_half_float_vertex GL_ARB_instanced_arrays GL_ARB_internalformat_query GL_ARB_internalformat_query2 GL_ARB_invalidate_subdata GL_ARB_map_buffer_alignment GL_ARB_map_buffer_range GL_ARB_multi_bind GL_ARB_occlusion_query2 GL_ARB_pipeline_statistics_query GL_ARB_pixel_buffer_object GL_ARB_point_sprite GL_ARB_polygon_offset_clamp GL_ARB_program_interface_query GL_ARB_provoking_vertex GL_ARB_robustness GL_ARB_sample_shading GL_ARB_sampler_objects GL_ARB_seamless_cube_map GL_ARB_seamless_cubemap_per_texture GL_ARB_separate_shader_objects GL_ARB_shader_bit_encoding GL_ARB_shader_draw_parameters GL_ARB_shader_group_vote GL_ARB_shader_objects GL_ARB_shader_subroutine GL_ARB_shader_texture_lod GL_ARB_shader_viewport_layer_array GL_ARB_shading_language_420pack GL_ARB_shading_language_packing GL_ARB_sync GL_ARB_texture_barrier GL_ARB_texture_buffer_object GL_ARB_texture_buffer_object_rgb32 GL_ARB_texture_buffer_range GL_ARB_texture_compression_rgtc GL_ARB_texture_cube_map_array GL_ARB_texture_filter_anisotropic GL_ARB_texture_float GL_ARB_texture_gather GL_ARB_texture_mirror_clamp_to_edge GL_ARB_texture_multisample GL_ARB_texture_non_power_of_two GL_ARB_texture_query_levels GL_ARB_texture_query_lod GL_ARB_texture_rectangle GL_ARB_texture_rg GL_ARB_texture_rgb10_a2ui GL_ARB_texture_storage GL_ARB_texture_storage_multisample GL_ARB_texture_swizzle GL_ARB_timer_query GL_ARB_transform_feedback2 GL_ARB_transform_feedback_overflow_query GL_ARB_uniform_buffer_object GL_ARB_vertex_array_bgra GL_ARB_vertex_array_object GL_ARB_vertex_attrib_binding GL_ARB_vertex_shader GL_ARB_vertex_type_10f_11f_11f_rev GL_ARB_vertex_type_2_10_10_10_rev GL_ARB_viewport_array GL_ATI_blend_equation_separate GL_ATI_texture_float GL_EXT_abgr GL_EXT_blend_equation_separate GL_EXT_draw_buffers2 GL_EXT_draw_instanced GL_EXT_framebuffer_blit GL_EXT_framebuffer_multisample GL_EXT_framebuffer_multisample_blit_scaled GL_EXT_framebuffer_sRGB GL_EXT_packed_depth_stencil GL_EXT_packed_float GL_EXT_pixel_buffer_object GL_EXT_polygon_offset_clamp GL_EXT_provoking_vertex GL_EXT_shader_integer_mix GL_EXT_texture_array GL_EXT_texture_compression_dxt1 GL_EXT_texture_compression_rgtc GL_EXT_texture_compression_s3tc GL_EXT_texture_filter_anisotropic GL_EXT_texture_integer GL_EXT_texture_sRGB GL_EXT_texture_sRGB_decode GL_EXT_texture_shared_exponent GL_EXT_texture_snorm GL_EXT_texture_swizzle GL_EXT_timer_query GL_EXT_transform_feedback GL_EXT_vertex_array_bgra GL_IBM_multimode_draw_arrays GL_INTEL_performance_query GL_KHR_blend_equation_advanced GL_KHR_context_flush_control GL_KHR_debug GL_KHR_no_error GL_KHR_robustness GL_MESA_pack_invert GL_MESA_shader_integer_functions GL_MESA_texture_signed_rgba GL_NV_conditional_render GL_NV_depth_clamp GL_NV_packed_depth_stencil GL_NV_texture_barrier GL_OES_EGL_image GL_S3_s3tc
WebGL 2 Extensions: EXT_color_buffer_float EXT_texture_filter_anisotropic EXT_disjoint_timer_query OES_texture_float_linear WEBGL_compressed_texture_etc WEBGL_compressed_texture_s3tc WEBGL_compressed_texture_s3tc_srgb WEBGL_debug_renderer_info WEBGL_debug_shaders WEBGL_lose_context
GPU #1
Active: Yes
Description: Intel Open Source Technology Center -- Mesa DRI Intel(R) Sandybridge Desktop
Vendor ID: Intel Open Source Technology Center
Device ID: Mesa DRI Intel(R) Sandybridge Desktop
Driver Version: 3.0 Mesa 17.3.5

Diagnostics
AzureCanvasAccelerated: 0
AzureCanvasBackend: skia
AzureContentBackend: skia
AzureFallbackCanvasBackend: none
CairoUseXRender: 0
Device Reset: Trigger Device Reset
Decision Log
HW_COMPOSITING:
blocked by default: Acceleration blocked by platform
force_enabled by user: Force-enabled by pref
OPENGL_COMPOSITING:
force_enabled by user: Force-enabled by pref
WEBRENDER:
opt-in by default: WebRender is an opt-in feature
OMTP:
disabled by default: Disabled by default




Media
-----

Audio Backend: remote
Max Channels: 2
Preferred Channel Layout: stereo
Preferred Sample Rate: 48000
Output Devices
Name: Group
Built-in Audio: /devices/pci0000:00/0000:00:1b.0/sound/card0
Input Devices
Name: Group
Monitor of Built-in Audio:

Important Modified Preferences
------------------------------

accessibility.accesskeycausesactivation: false
accessibility.browsewithcaret_shortcut.enabled: false
accessibility.typeaheadfind.flashBar: 0
browser.cache.disk.capacity: 358400
browser.cache.disk.filesystem_reported: 1
browser.cache.disk.hashstats_reported: 1
browser.cache.disk.smart_size.first_run: false
browser.cache.disk.smart_size.use_old_max: false
browser.cache.frecency_experiment: 4
browser.cache.memory.max_entry_size: 10240
browser.download.useDownloadDir: false
browser.places.smartBookmarksVersion: 8
browser.search.update: false
browser.search.useDBForOrder: true
browser.sessionstore.max_windows_undo: 4
browser.sessionstore.upgradeBackup.latestBuildID: 20180221102240
browser.startup.homepage_override.buildID: 20180221102240
browser.startup.homepage_override.mstone: 60.0a1
browser.tabs.closeWindowWithLastTab: false
browser.tabs.remote.warmup.enabled: true
browser.tabs.tabMinWidth: 70
browser.urlbar.clickSelectsAll: true
browser.urlbar.maxRichResults: 12
browser.urlbar.suggest.searches: false
browser.urlbar.trimURLs: false
dom.apps.lastUpdate.buildID: 20160725030248
dom.apps.lastUpdate.mstone: 50.0a1
dom.apps.reset-permissions: true
dom.battery.enabled: false
dom.experimental_forms: true
dom.forms.autocomplete.formautofill: true
dom.gamepad-extensions.enabled: false
dom.gamepad.enabled: false
dom.ipc.plugins.flash.subprocess.crashreporter.enabled: false
dom.ipc.processCount: 8
dom.mozApps.used: true
dom.push.userAgentID: e7fb3f8b83994ce090e85886171418a8
dom.vr.enabled: false
dom.vr.oculus.enabled: false
dom.webcomponents.customelements.enabled: false
extensions.lastAppVersion: 60.0a1
font.internaluseonly.changed: false
general.autoScroll: true
gfx.crash-guard.status.glcontext: 2
image.mem.max_decoded_image_kb: 384000
javascript.options.asyncstack: false
layers.acceleration.force-enabled: true
media.autoplay.enabled: false
media.autoplay.enabled.user-gestures-needed: true
media.getusermedia.screensharing.allowed_domains:
media.getusermedia.screensharing.enabled: false
media.gmp-eme-adobe.enabled: false
media.gmp-gmpopenh264.abi: x86_64-gcc3
media.gmp-gmpopenh264.lastUpdate: 1509908686
media.gmp-gmpopenh264.version: 1.7.1
media.gmp-manager.buildID: 20180221102240
media.gmp-manager.lastCheck: 1519219440
media.gmp.storage.version.observed: 1
media.peerconnection.ice.proxy_only: true
media.webrtc.debug.log_file: /tmp/WebRTC.log
mousewheel.acceleration.start: 3
mousewheel.default.action.override_x: 2
mousewheel.default.delta_multiplier_x: -100
mousewheel.system_scroll_override_on_root_content.enabled: true
mousewheel.system_scroll_override_on_root_content.vertical.factor: 250
network.cookie.cookieBehavior: 3
network.cookie.lifetimePolicy: 2
network.cookie.prefsMigrated: true
network.cookie.thirdparty.sessionOnly: true
network.dns.disablePrefetch: true
network.http.referer.spoofSource: true
network.http.referer.trimmingPolicy: 1
network.http.referer.XOriginPolicy: 1
network.http.speculative-parallel-limit: 0
network.IDN_show_punycode: true
network.predictor.cleaned-up: true
network.predictor.enabled: false
network.prefetch-next: false
network.tcp.tcp_fastopen_enable: true
places.database.lastMaintenance: 1518898423
places.history.expiration.transient_current_max_pages: 167199
plugin.default.state: 0
plugin.disable_full_page_plugin_for_types: application/pdf
plugin.importedState: true
plugin.state.java: 0
plugin.state.npatgpc: 0
plugin.state.npbispbrowser: 0
plugin.state.npesteid-firefox-plugin: 0
plugins.enumerable_names:
print.print_bgcolor: false
print.print_bgimages: false
print.print_duplex: 0
print.print_evenpages: true
print.print_footerleft:
print.print_footerright:
print.print_headerleft:
print.print_headerright:
print.print_margin_bottom: 0.5
print.print_margin_left: 0.5
print.print_margin_right: 0.5
print.print_margin_top: 0.5
print.print_oddpages: true
print.print_orientation: 0
print.print_paper_data: 0
print.print_paper_height: 11.00
print.print_paper_name: iso_a4
print.print_paper_size_type: 1
print.print_paper_size_unit: 0
print.print_paper_width: 8.00
print.print_resolution: 600
print.print_scaling: 1.00
print.print_shrink_to_fit: true
print.print_to_file: false
print.print_unwriteable_margin_bottom: 56
print.print_unwriteable_margin_left: 25
print.print_unwriteable_margin_right: 25
print.print_unwriteable_margin_top: 25
privacy.cpd.cache: false
privacy.cpd.cookies: false
privacy.cpd.extensions-sessionmanager: false
privacy.cpd.extensions-tabmix: false
privacy.cpd.sessions: false
privacy.donottrackheader.enabled: true
privacy.history.custom: true
privacy.resistFingerprinting: true
privacy.sanitize.migrateClearSavedPwdsOnExit: true
privacy.sanitize.migrateFx3Prefs: true
privacy.trackingprotection.enabled: true
privacy.trackingprotection.introCount: 20
privacy.userContext.extension: CookieAutoDelete@kennydo.com
security.cert_pinning.enforcement_level: 2
security.csp.experimentalEnabled: true
security.dialog_enable_delay: 400
security.disable_button.openCertManager: false
security.disable_button.openDeviceManager: false
security.insecure_connection_icon.enabled: true
security.notification_enable_delay: 300
security.pki.sha1_enforcement_level: 1
security.sandbox.content.tempDirSuffix: 0d54f4a9-e02e-48ae-a278-50531ed8fcd3
security.ssl.treat_unsafe_negotiation_as_broken: true
services.sync.declinedEngines: passwords,addons
services.sync.engine.addons: false
services.sync.engine.addresses.available: true
services.sync.engine.bookmarks.validation.lastTime: 1519158898
services.sync.engine.creditcards.available: true
services.sync.engine.greasemonkey: true
services.sync.engine.passwords: false
services.sync.engine.prefs.modified: false
services.sync.engine.reqpolsync: false
services.sync.engine.stylishsync: false
services.sync.lastPing: 1519158896
services.sync.lastSync: Wed Feb 21 2018 18:05:19 GMT+0000 (UTC)
services.sync.numClients: 3
storage.vacuum.last.index: 1
storage.vacuum.last.places.sqlite: 1516878661

Important Locked Preferences
----------------------------

Places Database
---------------

JavaScript
----------

Incremental GC: true

Accessibility
-------------

Activated: false
Prevent Accessibility: 0

Library Versions
----------------

NSPR
Expected minimum version: 4.18
Version in use: 4.18

NSS
Expected minimum version: 3.36 Beta
Version in use: 3.36 Beta

NSSSMIME
Expected minimum version: 3.36 Beta
Version in use: 3.36 Beta

NSSSSL
Expected minimum version: 3.36 Beta
Version in use: 3.36 Beta

NSSUTIL
Expected minimum version: 3.36 Beta
Version in use: 3.36 Beta

Experimental Features
---------------------

Sandbox
-------

Seccomp-BPF (System Call Filtering): true
Seccomp Thread Synchronization: true
User Namespaces: true
Content Process Sandboxing: true
Media Plugin Sandboxing: true
Content Process Sandbox Level: 4
Effective Content Process Sandbox Level: 4

Rejected System Calls
---------------------

Internationalization & Localization
-----------------------------------

Application Settings
Requested Locales: ["en-US"]
Available Locales: ["en-US"]
App Locales: ["en-US"]
Regional Preferences: ["en-US"]
Default Locale: "en-US"
Operating System
System Locales: ["en-US"]
Regional Preferences: ["en-US"]
Flags: needinfo?(johnp)
Thanks.  Can you try safe mode to see if it helps?

https://support.mozilla.org/en-US/kb/troubleshoot-firefox-issues-using-safe-mode

Trying to isolate if its an addon or a preference.  Sorry for having so many things to check.
Flags: needinfo?(johnp)
Still happens in safe mode: bp-8e85e176-280b-4e88-93b2-590150180221
Flags: needinfo?(johnp)
Hmm.  We also have a way to set permissions on a per-site basis.  Can you go to:

  Menu -> Options -> Privacy & Security -> History

Change the combobox from "Remember History" to "Use custom settings for history".

Then click the "Exceptions..." button.  This should bring up a dialog that lists sites with overridden permissions.

Do you have any per-site permissions in there?
Flags: needinfo?(johnp)
Although these prefs might be enough to somehow trigger this:

network.cookie.cookieBehavior: 3
network.cookie.lifetimePolicy: 2
Also, can you provide me a link to the youtube page you are using to trigger this?  Are you logged in on youtube?
I already use custom settings and I have dozens of sites in there. http(s)://youtube.com are "Allow first party only".

I'm logged in on youtube and reproduce e.g. with

https://www.youtube.com/watch?v=9o-77YQ1Rcc

expand description and click on the http://ShopDeFranco.com link -> new tab opens and immediately crashes.
Flags: needinfo?(johnp)
Interesting.  I'll have to do some research.  I don't see a way from the UI to set "Allow first party only" for a site.  But I do see we have support for displaying it.
I think I can write a test to try to provoke this using SpecialPower.pushPermissions passing ACCESS_ALLOW_FIRST_PARTY_ONLY.  I'll probably need to look at that another day, though.

It would be interesting to know if the crash goes away if you clear that one permission.  Of course, I don't know how to add the permission back if you do that.
Assignee: nobody → bkelly
Status: NEW → ASSIGNED
Flags: needinfo?(bkelly)
Yes, the crash has gone away once I removed the youtube exceptions. Not sure how this was initially set, probably by some add-on.
I can reproduce on youtube.  Its a combination of:

1. Setting cookie options to "Keep until I close"
2. AND having "Allow first party only" for youtube

I had to manually hack the permissions.sqlite file to get "Allow first party only".
It seems when we have this permission set for a site we ignore the "keep until I close" setting that is browser-wide:

https://searchfox.org/mozilla-central/rev/47cb352984bac15c476dcd75f8360f902673cb98/dom/base/nsContentUtils.cpp#9028

This allows us to get a service worker on youtube.com when most sites won't have a service worker because of the "keep until I close".  Then when youtube does its weird redirect thing we must be hitting an unexpected path that inherits the service worker early, but then later sees it shouldn't have it because of the global "keep until I close" setting.
Johnathon, this bug is triggering a diagnostic assertion when the browser is configured as described in comment 12.  I'm trying to figure out the best way to deal with this.

One approach would be to remove the support for "Allow first party only" permission.  We could migrate profiles that currently use it to ACCEPT or just default back to the global setting.  AFAICT we don't expose "Allow first party only" in the UI any more and we don't have many tests that set it.  If we're not going to actively support the feature, maybe it would be best to remove it for now.

Alternatively, I could add a test that uses it and try to figure out a workaround for the problem.  I can do this, but I have a hard time justifying it if "Allow first party only" is not really going to be used.

Do know our plans for "Allow first party only" permission?  What do you think about removing it for now?
Flags: needinfo?(jkt)
I don't think we have any plans to remove this UI right now. Dan might know more about the area of code to comment on the crash.
Flags: needinfo?(jkt) → needinfo?(dveditz)
When was the "Allow first party only" added to the exceptions UI?  And when was it removed from visibility?  Was it part of the first-party-isolation project, or something else?

I'm not sure who would know the answers to these questions, so needinfo'ing a bunch of people.
Flags: needinfo?(tom)
Flags: needinfo?(jhofmann)
Flags: needinfo?(francois)
Looks like it's not anything Tom ni for as it came in from Monica in 2013: https://bugzilla.mozilla.org/attachment.cgi?id=720868&action=diff
Flags: needinfo?(tom)
Support for this at the DB level was added in bug 770691 and UI for it landed in bug 770705 but it went away when about:permissions was removed.
Flags: needinfo?(francois)
(In reply to Jonathan Kingston [:jkt] from comment #15)
> I don't think we have any plans to remove this UI right now.

There is no way to set it in the UI today.  I had to hack the permissions.sqlite to even get a browser to try to use this feature.  I assume it was exposed via a legacy addon or previous UI in the past, though.

The crash is specific to assertions I added for storage and service workers.  We don't have good test coverage of this feature in general, partly because we don't let anyone set it normally.
(In reply to François Marier [:francois] from comment #18)
> Support for this at the DB level was added in bug 770691 and UI for it
> landed in bug 770705 but it went away when about:permissions was removed.

And it looks like about:permissions was removed two years ago in bug 933917.
Flags: needinfo?(bkelly)
(In reply to Ben Kelly [:bkelly] from comment #13)
> It seems when we have this permission set for a site we ignore the "keep
> until I close" setting that is browser-wide:

Any explicit setting for a site--whether that's block, allow, allow-for-session, or allow-first-party-only--overrides the browser-wide cookie setting. Allow-first-party-only is a setting we'd like to support but we've been frustrated by changing front end UI. I would guess the security team agrees with annevk in bug 933917 comment 3 that removing about:permissions should have been WONTFIXed until there was a replacement. It was considered "OK" to do because you could manipulate permissions through the site identity panel, but then that got revamped since such that you really can't anymore. You can clear non-default settings but not otherwise change cookie settings there.

We do have plans to add UI support for this to the cookie exceptions dialog you can reach from about:preferences, it's just pretty far down the Security team's list. 

In any case, I can reproduce this crash by setting youtube cookies to "Allow" and the global setting to save cookies until I quit. This is easily accomplished with our existing UI and is a common setting: clear out the cruft on shutdown but stay logged in to sites you use all the time. These are the settings I use, in fact, with "Allow" for gmail and bugzilla cookies rather than youtube.
Flags: needinfo?(dveditz)
I think it's all been said, we might add this to the cookie exceptions, but it's not an immediate plan.
Flags: needinfo?(jhofmann)
(In reply to Daniel Veditz [:dveditz] from comment #21)
> We do have plans to add UI support for this to the cookie exceptions dialog
> you can reach from about:preferences, it's just pretty far down the Security
> team's list. 

Is there a bug on file for this?  Even if its not being worked now, it might be nice to have it open to signal the intent to keep it.  Right now this feature seems pretty well abandoned by looking at the code in the tree.

> In any case, I can reproduce this crash by setting youtube cookies to
> "Allow" and the global setting to save cookies until I quit. This is easily
> accomplished with our existing UI and is a common setting: clear out the
> cruft on shutdown but stay logged in to sites you use all the time. These
> are the settings I use, in fact, with "Allow" for gmail and bugzilla cookies
> rather than youtube.

Ah, thanks.  I will focus on this use case then.  Sorry for getting side tracked on the unusual permission setting.
(In reply to Daniel Veditz [:dveditz] from comment #21)
> Any explicit setting for a site--whether that's block, allow,
> allow-for-session, or allow-first-party-only--overrides the browser-wide
> cookie setting.

Also, I just want to say that having the global setting vary on two dimensions:

* Accept/Block/Block Foreign
* Keep until expire/browser closed

And then having the override only be a single value:

* Accept/Block/Keep until closed

Is really weird and confusing.
The assertion was added in bug 1425975 so this affects FF59.  Note, however, the assertion only fires in nightly and dev-edition builds.  In Release and beta we will not crash, but some sites may be covered by a service worker even though the user has configured things to block storage.
Blocks: 1425975
status-firefox58: --- → unaffected
status-firefox59: --- → affected
status-firefox-esr52: --- → disabled
Investigating a potential security issue here.
Group: core-security
I'm doing some instrumentation at the point of the assertion:

### ### [0x7f0fc7171a00] ClientSource::WindowExecutionReady origin:https://teespring.com current: new:https://teespring.com/stores/defranco-top-sellers controller:https://www.youtube.com/
Assertion failure: nsContentUtils::StorageAllowedForWindow(aInnerWindow) == nsContentUtils::StorageAccess::eAllow, at /srv/mozilla-central/dom/clients/manager/ClientSource.cpp:272

This shows that the service worker controller is for a different origin than the window.  This is very bad.  I need to investigate further how its happening.
In nightly 60 I am able to follow the steps in comment 8.  With default cookie prefs this does not crash.  But using the console you can see that the teespring.com site ends up controlled by the youtube service worker.

Fortunately it does not occur in FF58 or FF59.
status-firefox59: affectedunaffected
I have a theory about what is happening here.  My guess is:

1. Youtube is opening a page on its origin and gets its service worker
2. YT then does document.open() to the target cross-origin site
3. This creates a new inner window and ClientSource
4. The channel that loads the new document is created with nsIContentPolicy::TYPE_OTHER and the original caller document as its node.
5. We then set the original caller document's service worker controller on the load info because we think its a subresource load here:

https://searchfox.org/mozilla-central/rev/bd05e3853c6e982e2a35c1cc404b987b2bc914d6/netwerk/base/LoadInfo.cpp#135-142

6. This results in the old controller being propagated to the new document incorrectly.

I will need to confirm this tomorrow.

Christoph, do you know why document.open() is being loaded with nsIContentPolicy::TYPE_OTHER()?  This seems a bit wrong to me.  It was added in bug 1038756.

Ideally I'd like to make document.open() use TYPE_DOCUMENT.  If that is not good for some reason, maybe we could make a TYPE_INTERNAL_DOCUMENTOPEN.  I will also be adding some new diagnostic asserts to prevent this kind of mismatch in the future.
Flags: needinfo?(ckerschb)
(In reply to Ben Kelly [:bkelly] from comment #29)
> Christoph, do you know why document.open() is being loaded with
> nsIContentPolicy::TYPE_OTHER()?  This seems a bit wrong to me.  It was added
> in bug 1038756.

I couldn't find a specific reason why we would load window.open() with TYPE_OTHER instead of TYPE_DOCUMENT. I agree that we should change that to make sure window.open is loaded with TYPE_DOCUMENT and if that is not possible for any reason, I would agree to adding TYPE_DOCUMENT_INTERNAL or something that then resolves to TYPE_DOCUMENT. I think that was not intentional and I couldn't find any reason by browsing through Bug 1038756. Is it possible that this channel does not do the actual load for window.open() but rather the docshell is performing that?

The only thing I don't understand is the following. If we are really loading window.open() with TYPE_OTHER and a regular webpage would use a strict CSP using default-src 'none' then opening the window would be blocked by CSP because TYPE_OTHER is governed by default-src. It seems we don't have any CSP test exercising that hence I created Bug 1440582 to write some tests for that scenario.
Flags: needinfo?(ckerschb)
Thanks for digging into it.  Just to clarify, this is about document.open() and not window.open(). I believe they take different code paths.
I've tried some initial testing this morning and I don't think its as simple as comment 29 suggests.

The TYPE_OTHER channel is not for a URL load.  Its for a document.open() without a URL.  Sorry for the confusion.
Upon further investigation this is actually fallout from bug 1431847.

When a document load occurs the controlling ServiceWorkerDescriptor will get added to the LoadInfo by ServiceWorkerManager.  If a redirect occurs, though, we clear this controller in ClientChannelHelper.  This ensures that we will lookup the next possible matching ServiceWorkerDescriptor on the redirect.

In bug 1431847 I started adding support to perform service worker interception in the parent.  This involves serializing the controlling ServiceWorkerDescriptor from child-to-parent and then back from parent-to-child.

There is a bug, however, in that we only add the ClientChannelHelper in the child process.  So redirects on the parent do not get the controller cleared properly.  We'll need to fix this, but in theory it should not have been a major problem since this entire parent-side intercept is disabled behind a pref.

The problem, however, is that the code to copy ServiceWorkerDescriptor from parent-to-child is performed regardless of pref.  And with the controller being cleared on redirect only on the child, this code was reapplying the controller from the parent each time.

The quick fix here is to disable the parent-to-child controller copying when the pref is disabled.
Blocks: 1431847
No longer blocks: 1425975
Marking this sec-critical since its a same-origin policy bypass.  This only effects nightly 60.
Keywords: sec-critical
Note we have a test that covers this situation:

https://searchfox.org/mozilla-central/source/testing/web-platform/tests/service-workers/service-worker/navigation-redirect.https.html

We didn't catch the problem because:

1. The test does not explicitly check if the resulting iframe is controlled.
2. We do not have assertions catching the cross-origin controller.
3. The test does not use the non-standard cookie prefs, so we did not trigger the crash reported in this bug.

I filed bug 1440705 to add the assertions in (2).  I will look at possibly enhancing the test for (1) as well, but not in this bug.
Component: DOM → DOM: Service Workers
Summary: Crash [@ mozilla::dom::ClientSource::WindowExecutionReady ] on outgoing YouTube description links → navigations that redirect from a controlled scope to uncontrolled scope do not clear their controller in e10s mode
I have confirmed locally that the assertions I have in mind for bug 1440705 do catch this problem on navigation-redirect.https.html.  I have also confirmed adding the additional preference checks also fix the problem.

Patch coming here shortly.
Comment on attachment 8953527 [details] [diff] [review]
Add some more SW preference checks to e10s http channel code. r=asuth

Andrew, this patch wraps all of the code that passes the controller from parent-to-child in checks for ServiceWorkerParentInterceptEnabled().
Attachment #8953527 - Flags: review?(bugmail)
Comment on attachment 8953527 [details] [diff] [review]
Add some more SW preference checks to e10s http channel code. r=asuth

This is not reviewed yet, but I'm flagging now since I will be mostly out this afternoon.

[Security approval request comment]
How easily could an exploit be constructed based on the patch?

I think moderately difficult.  Its not obviously about redirects, but does point to service workers and networking.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?

I don't think so.  Its clearly closing some behavior off related to e10s networking, but its unclear about the effect and that a redirect is needed.

Which older supported branches are affected by this flaw?

None.  This was introduced in bug 1431847 which is only on ff60 trunk.

If not all supported branches, which bug introduced the flaw?

Bug 1431847.

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?

N/A

How likely is this patch to cause regressions; how much testing does it need?

Minimal risk.  Its disabling code that behind a pref that is default off.  Before adding the pref this code did not exist.

I have run tests locally against the patch, but I have not done a try push.
Attachment #8953527 - Flags: sec-approval?
Comment on attachment 8953527 [details] [diff] [review]
Add some more SW preference checks to e10s http channel code. r=asuth

Review of attachment 8953527 [details] [diff] [review]:
-----------------------------------------------------------------

This makes sense in the context of the excellent comment 34, thank you.
Attachment #8953527 - Flags: review?(bugmail) → review+
Comment on attachment 8953527 [details] [diff] [review]
Add some more SW preference checks to e10s http channel code. r=asuth

Actually, looking at the sec bug approval process:

https://wiki.mozilla.org/Security/Bug_Approval_Process#Process_for_Security_Bugs

I don't think I need sec-approval here.  I think this bug meets the conditions for case B.  We know what caused this, it does not affect other branches, and we have not shipped the problem on anything other than nightly.
Attachment #8953527 - Flags: sec-approval?
https://hg.mozilla.org/mozilla-central/rev/481fcece2fc7
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox60: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla60
See Also: → 1441133
See Also: 1441133
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.