Closed
Bug 1452496
Opened 6 years ago
Closed 6 years ago
Do not allow setting same-site cookies from a cross site request
Categories
(Core :: Networking: Cookies, defect, P1)
Core
Networking: Cookies
Tracking
()
RESOLVED
FIXED
mozilla61
People
(Reporter: ckerschb, Assigned: ckerschb)
References
Details
(Whiteboard: [necko-triaged])
Attachments
(5 files, 6 obsolete files)
6.25 KB,
patch
|
ckerschb
:
review+
jcristau
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
4.95 KB,
patch
|
ckerschb
:
review+
jcristau
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
6.32 KB,
patch
|
mgoodwin
:
review+
jcristau
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
28.24 KB,
patch
|
valentin
:
review+
jcristau
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
4.91 KB,
patch
|
Details | Diff | Splinter Review |
No description provided.
Assignee | ||
Updated•6 years ago
|
Blocks: samesite-cookies
Assignee | ||
Updated•6 years ago
|
Assignee: nobody → ckerschb
Status: NEW → ASSIGNED
Priority: -- → P1
Assignee | ||
Comment 1•6 years ago
|
||
Hey Valentin, unfortunately the test setup within TestCookie.cpp is complicated and cookies are always load in a cross site context. The problem happens because SetACookie() passes a nullptr as the channel [1] which is used to determine same or cross siteness. It's unfortunate, but I guess not the end of the world because we have test coverage for all the cases within dom/security/test/general. Acceptable? [1] https://dxr.mozilla.org/mozilla-central/source/netwerk/test/TestCookie.cpp#74
Attachment #8966169 -
Flags: review?(valentin.gosu)
Assignee | ||
Comment 2•6 years ago
|
||
Attachment #8966170 -
Flags: review?(mgoodwin)
Updated•6 years ago
|
Attachment #8966170 -
Flags: review?(mgoodwin) → review+
Updated•6 years ago
|
Summary: Do not allow same-site cookies in cross site context → Do not allow setting same-site cookies from a cross site request
Comment 3•6 years ago
|
||
Comment on attachment 8966169 [details] [diff] [review] bug_1452496_discard_same_site_cookie.patch Review of attachment 8966169 [details] [diff] [review]: ----------------------------------------------------------------- ::: netwerk/cookie/nsCookieService.cpp @@ +3469,5 @@ > return newCookie; > } > > + // If the new cookie is same-site but an a cross site context, > + // browser have to ignore the cookie. typo: "in" a cross site context I'd prefer "have to" => "must" (or even "MUST") since it's a spec requirement. ::: netwerk/test/TestCookie.cpp @@ +782,5 @@ > SetACookie(cookieService, "http://samesite.test", nullptr, "bogus=yes; samesite=bogus", nullptr); > + // please note that we can't test: > + // * samesite=strict > + // * samesite=lax > + // because TestCookie.cpp loads cookies in a cross origin fashion. This is sad. Do we have other tests for the samesite attribute (I don't see any)? Also, if we can't set samesite from this test then the preceding 4 "samesite" tests are meaningless and you might as well delete them, too. Any way to fake up a same-origin channel to pass in so we can test these?
Assignee | ||
Comment 4•6 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #3) > Any way to fake up a same-origin channel to pass in so we can test these? In fact: yes. Please note that I on purpose created a new function that deals with same site cookies to make sure the update does not interfere with any other tests within that file. If needed, we can file a follow up to clean that up.
Attachment #8966169 -
Attachment is obsolete: true
Attachment #8966169 -
Flags: review?(valentin.gosu)
Attachment #8966327 -
Flags: review?(dveditz)
Comment 5•6 years ago
|
||
Comment on attachment 8966327 [details] [diff] [review] bug_1452496_discard_same_site_cookie.patch Review of attachment 8966327 [details] [diff] [review]: ----------------------------------------------------------------- r=dveditz
Attachment #8966327 -
Flags: review?(dveditz) → review+
Pushed by mozilla@christophkerschbaumer.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/8bf36c469e22 Discard same-site cookie in cross site context. r=dveditz https://hg.mozilla.org/integration/mozilla-inbound/rev/071ecf5e3680 Test for diiscarding same-site cookie in cross site context. r=mgoodwin
Assignee | ||
Comment 7•6 years ago
|
||
Comment on attachment 8966170 [details] [diff] [review] bug_1452496_discard_same_site_cookie_tests.patch Approval Request Comment [Feature/Bug causing the regression]: Bug 1452496 [User impact if declined]: same-site cookies in cross origin context are allowed to be set. [Is this code covered by automated tests?]: Yes [Has the fix been verified in Nightly?]: Not yet. [Needs manual test from QE? If yes, steps to reproduce]: No [List of other uplifts needed for the feature/fix]: Bug 1286861 needs to be applied before this patch. [Is the change risky?]: No [Why is the change risky/not risky?]: Only affects same-site cookies. [String changes made/needed]: no
Attachment #8966170 -
Flags: approval-mozilla-beta?
Comment 8•6 years ago
|
||
Backed out 2 changesets (bug 1452496) for bustage on build/src/netwerk/test/TestNamedPipeService.cpp on a CLOSED TREE Backout link: https://hg.mozilla.org/integration/mozilla-inbound/rev/7a6977dca03a1c363656137ccbd78626ed1a35bc Push with failures: https://treeherder.mozilla.org/#/jobs?repo=mozilla-inbound&revision=071ecf5e36808e9f9a96e15a0d019418a8846d5b Log link: https://treeherder.mozilla.org/logviewer.html#?job_id=172890948&repo=mozilla-inbound&lineNumber=12026 Log snippet: 15:57:22 INFO - mozmake.EXE[4]: Leaving directory 'z:/build/build/src/obj-firefox/ipc/chromium' 15:57:22 INFO - mozmake.EXE[4]: Entering directory 'z:/build/build/src/obj-firefox/extensions/auth' 15:57:22 INFO - mozmake.EXE[4]: Leaving directory 'z:/build/build/src/obj-firefox/extensions/auth' 15:57:23 INFO - mozmake.EXE[4]: Entering directory 'z:/build/build/src/obj-firefox/config/external/icu/i18n' 15:57:23 INFO - z:/build/build/src/sccache2/sccache.exe z:/build/build/src/vs2017_15.6.0/VC/bin/Hostx64/x86/cl.exe -Fotznames_impl.obj -c -DNDEBUG=1 -DTRIMMED=1 -DU_I18N_IMPLEMENTATION -DUCONFIG_NO_TRANSLITERATION -DUCONFIG_NO_REGULAR_EXPRESSIONS -DUCONFIG_NO_LEGACY_CONVERSION -DU_USING_ICU_NAMESPACE=0 -DU_NO_DEFAULT_INCLUDE_UTF_HEADERS=1 -DU_CHARSET_IS_UTF8 -DU_HAVE_NL_LANGINFO_CODESET=0 -Iz:/build/build/src/config/external/icu/i18n -Iz:/build/build/src/obj-firefox/config/external/icu/i18n -Iz:/build/build/src/intl/icu/source/common -Iz:/build/build/src/obj-firefox/dist/include -Iz:/build/build/src/obj-firefox/dist/include/nspr -Iz:/build/build/src/obj-firefox/dist/include/nss -MD -FI z:/build/build/src/obj-firefox/mozilla-config.h -DMOZILLA_CLIENT -utf-8 -TP -nologo -w15038 -wd5026 -wd5027 -Zc:sizedDealloc- -wd4091 -wd4577 -D_HAS_EXCEPTIONS=0 -W3 -Gy -Zc:inline -arch:SSE2 -Gw -wd4251 -wd4244 -wd4267 -wd4800 -wd4595 -we4553 -D_SILENCE_TR1_NAMESPACE_DEPRECATION_WARNING -GR- -Z7 -O1 -Oi -Oy- -GR -wd4005 -wd4333 -wd4996 -deps.deps/tznames_impl.obj.pp z:/build/build/src/intl/icu/source/i18n/tznames_impl.cpp 15:57:23 INFO - tznames_impl.cpp 15:57:23 INFO - cl : Command line warning D9025 : overriding '/GR-' with '/GR' 15:57:23 INFO - mozmake.EXE[4]: Leaving directory 'z:/build/build/src/obj-firefox/config/external/icu/i18n' 15:57:23 INFO - mozmake.EXE[4]: Entering directory 'z:/build/build/src/obj-firefox/config/external/icu/i18n' 15:57:23 INFO - mozmake.EXE[4]: Leaving directory 'z:/build/build/src/obj-firefox/config/external/icu/i18n' 15:57:23 INFO - mozmake.EXE[4]: Entering directory 'z:/build/build/src/obj-firefox/netwerk/sctp/src' 15:57:23 INFO - z:/build/build/src/sccache2/sccache.exe z:/build/build/src/vs2017_15.6.0/VC/bin/Hostx64/x86/cl.exe -Fosctp_sysctl.obj -c -DNDEBUG=1 -DTRIMMED=1 -DWIN32_LEAN_AND_MEAN -D_WIN32 -DWIN32 -D_CRT_RAND_S -DCERT_CHAIN_PARA_HAS_EXTRA_FIELDS -DOS_WIN=1 -D_UNICODE -DCHROMIUM_BUILD -DU_STATIC_IMPLEMENTATION -DUNICODE -D_WINDOWS -D_SECURE_ATL -DCOMPILER_MSVC -DSCTP_SIMPLE_ALLOCATOR=1 -DSCTP_PROCESS_LEVEL_LOCKS=1 -D__Userspace__=1 -DCALLBACK_API=1 -DSCTP_DEBUG=1 -D__Userspace_os_Windows=1 -D_LIB=1 -DSTATIC_EXPORTABLE_JS_API -DMOZ_HAS_MOZGLUE -DMOZILLA_INTERNAL_API -DIMPL_LIBXUL -Iz:/build/build/src/netwerk/sctp/src -Iz:/build/build/src/obj-firefox/netwerk/sctp/src -Iz:/build/build/src/obj-firefox/ipc/ipdl/_ipdlheaders -Iz:/build/build/src/ipc/chromium/src -Iz:/build/build/src/ipc/glue -Iz:/build/build/src/dom/base -Iz:/build/build/src/netwerk/base -Iz:/build/build/src/obj-firefox/dist/include -Iz:/build/build/src/obj-firefox/dist/include/nspr -Iz:/build/build/src/obj-firefox/dist/include/nss -MD -FI z:/build/build/src/obj-firefox/mozilla-config.h -DMOZILLA_CLIENT -utf-8 -TC -nologo -wd4091 -D_HAS_EXCEPTIONS=0 -W3 -Gy -Zc:inline -arch:SSE2 -Gw -wd4244 -wd4267 -we4553 -Z7 -O1 -Oi -Oy- -deps.deps/sctp_sysctl.obj.pp z:/build/build/src/netwerk/sctp/src/netinet/sctp_sysctl.c 15:57:23 INFO - sctp_sysctl.c 15:57:23 INFO - mozmake.EXE[4]: Leaving directory 'z:/build/build/src/obj-firefox/netwerk/sctp/src' 15:57:23 INFO - mozmake.EXE[4]: Entering directory 'z:/build/build/src/obj-firefox/netwerk/test' 15:57:23 INFO - z:/build/build/src/sccache2/sccache.exe z:/build/build/src/vs2017_15.6.0/VC/bin/Hostx64/x86/cl.exe -FoUnified_cpp_netwerk_test0.obj -c -Iz:/build/build/src/obj-firefox/dist/stl_wrappers -DNDEBUG=1 -DTRIMMED=1 -DWIN32_LEAN_AND_MEAN -D_WIN32 -DWIN32 -D_CRT_RAND_S -DCERT_CHAIN_PARA_HAS_EXTRA_FIELDS -DOS_WIN=1 -D_UNICODE -DCHROMIUM_BUILD -DU_STATIC_IMPLEMENTATION -DUNICODE -D_WINDOWS -D_SECURE_ATL -DCOMPILER_MSVC -DSTATIC_EXPORTABLE_JS_API -DMOZILLA_INTERNAL_API -DIMPL_LIBXUL -Iz:/build/build/src/netwerk/test -Iz:/build/build/src/obj-firefox/netwerk/test -Iz:/build/build/src/obj-firefox/ipc/ipdl/_ipdlheaders -Iz:/build/build/src/ipc/chromium/src -Iz:/build/build/src/ipc/glue -Iz:/build/build/src/obj-firefox/dist/include -Iz:/build/build/src/obj-firefox/dist/include/nspr -Iz:/build/build/src/obj-firefox/dist/include/nss -MD -FI z:/build/build/src/obj-firefox/mozilla-config.h -DMOZILLA_CLIENT -utf-8 -TP -nologo -w15038 -wd5026 -wd5027 -Zc:sizedDealloc- -wd4091 -wd4577 -D_HAS_EXCEPTIONS=0 -W3 -Gy -Zc:inline -arch:SSE2 -Gw -wd4251 -wd4244 -wd4267 -wd4800 -wd4595 -we4553 -D_SILENCE_TR1_NAMESPACE_DEPRECATION_WARNING -GR- -Z7 -O1 -Oi -Oy- -WX -deps.deps/Unified_cpp_netwerk_test0.obj.pp z:/build/build/src/obj-firefox/netwerk/test/Unified_cpp_netwerk_test0.cpp 15:57:23 INFO - Unified_cpp_netwerk_test0.cpp 15:57:23 INFO - z:/build/build/src/netwerk/test/TestNamedPipeService.cpp(251): error C3861: 'CreateEvent': identifier not found
Flags: needinfo?(ckerschb)
Assignee | ||
Comment 9•6 years ago
|
||
(In reply to Raul Gurzau (:RaulGurzau) from comment #8) > Backed out 2 changesets (bug 1452496) for bustage on > build/src/netwerk/test/TestNamedPipeService.cpp on a CLOSED TREE On it!
Flags: needinfo?(ckerschb)
Assignee | ||
Comment 10•6 years ago
|
||
Comment on attachment 8966170 [details] [diff] [review] bug_1452496_discard_same_site_cookie_tests.patch Cancelling the uplift request for now till I have fixed the issue within TestCookie.cpp
Attachment #8966170 -
Flags: approval-mozilla-beta?
Assignee | ||
Comment 11•6 years ago
|
||
So, I was able to fix the compile problem with regards to TestNamedPipeService.cpp. But still there is one problem left (see dt1 within [1]). When we check for third-party-ness of a same-site cookie we apparently get something wrong for inline scripts. In particular we don't allow the same-site cookie to be set within CanSetCookie for [2] because: aHostURI: http://test1.example.org/browser/devtools/client/storage/test/storage-cookies-samesite.html aChannelURI: about:blank I think inline scripts should be treated same-origin with the including context. I suppose the flag 'aHTTP' determines that, but also not entirely sure. ni? a bunch of folks who might now the answer! [1] https://treeherder.mozilla.org/#/jobs?repo=try&revision=913f6240f3ceb38be8c4689595bd8c8efdfcb415 [2] https://dxr.mozilla.org/mozilla-central/source/devtools/client/storage/test/storage-cookies-samesite.html#12
Flags: needinfo?(valentin.gosu)
Flags: needinfo?(jduell.mcbugs)
Flags: needinfo?(honzab.moz)
Flags: needinfo?(dd.mozilla)
Assignee | ||
Comment 12•6 years ago
|
||
Hey Mark, as discussed over IRC, inline same site cookies should be allowed if in same origin context, but should be discarded in cross site context. More explicitly: [allowed] SiteA loads frameA frameA does document.cookie = value=bla, samesite=strict [discard] Site loads frameB frameB does document.cookie = value=bla, samesite=strict To make sure, do we agree that this is expected behavior? Please also verify my test which should map the scenario. Still not sure how we can fix that in our code though.
Attachment #8966924 -
Flags: review?(mgoodwin)
Assignee | ||
Comment 13•6 years ago
|
||
Dan, Francois, do keep you in the loop as well, please see comment 11 and comment 12.
Flags: needinfo?(francois)
Flags: needinfo?(dveditz)
Assignee | ||
Comment 14•6 years ago
|
||
It seems that the root cause of the problem originates here [1], but even there the isForeign flag is already wrong in that particular case. [1] https://dxr.mozilla.org/mozilla-central/source/netwerk/cookie/CookieServiceParent.cpp#259-274
Comment 15•6 years ago
|
||
(In reply to Christoph Kerschbaumer [:ckerschb] from comment #11) > So, I was able to fix the compile problem with regards to > TestNamedPipeService.cpp. > > But still there is one problem left (see dt1 within [1]). When we check for > third-party-ness of a same-site cookie we apparently get something wrong for > inline scripts. I think the best person to ask about how to recognize inline script security context is Boris. (ni? on him) > In particular we don't allow the same-site cookie to be set > within CanSetCookie for [2] because: > > aHostURI: > http://test1.example.org/browser/devtools/client/storage/test/storage- > cookies-samesite.html > aChannelURI: about:blank > > I think inline scripts should be treated same-origin with the including > context. I suppose the flag 'aHTTP' determines that, but also not entirely > sure. Not sure to which code you are referring exactly, but I assume that aHTTP arg represents 'http-only' cookie (a flag sent by the server), that instructs that cookie to no be exposed on document.cookie (IIUC), it doesn't stand for aHTTP == false => cookie comes from an inline script. > > ni? a bunch of folks who might now the answer! > > [1] > https://treeherder.mozilla.org/#/ > jobs?repo=try&revision=913f6240f3ceb38be8c4689595bd8c8efdfcb415 > [2] > https://dxr.mozilla.org/mozilla-central/source/devtools/client/storage/test/ > storage-cookies-samesite.html#12
Flags: needinfo?(honzab.moz) → needinfo?(bzbarsky)
Comment 16•6 years ago
|
||
There should be nothing special for inline scripts. That is, they should act just like <script src="something"> in terms of the cookie setter.
> aChannelURI: about:blank
What does the stack look like to the point where you're seeing this?
In general, the document.cookie setter uses the document's channel if there is one. If not, it creates a dummy channel with the principal URI of the document. So I don't see where about:blank would come from in devtools/client/storage/test/storage-cookies-samesite.html.
Flags: needinfo?(bzbarsky) → needinfo?(ckerschb)
Assignee | ||
Comment 17•6 years ago
|
||
(In reply to Boris Zbarsky [:bz] (no decent commit message means r-) from comment #16) > There should be nothing special for inline scripts. That is, they should > act just like <script src="something"> in terms of the cookie setter. > > > aChannelURI: about:blank > > What does the stack look like to the point where you're seeing this? Boris, thanks for your speedy response. The problem originates here [1], where we create that dummy channel with about:blank as the URI (see also stacktrace underneath). I guess we could explicitly pass around the 'aIsForeign' flag (see attached patch) which fixes the problem and the tests runs to completion correctly. The only problem is that currently we only compute the 'isForeign' flag in case RequireThirdPartyCheck() returns true. Would it be an option to *always* compute mThirdPartyUtil->IsThirdPartyChannel(aChannel, aHostURI, &isForeign); ? I am not sure what other implications that might have. Also within CookieServiceChild.cpp there are more calls to RequireThirdPartyCheck() which might also be affected. [1] https://dxr.mozilla.org/mozilla-central/source/netwerk/cookie/CookieServiceParent.cpp#259-274 Assertion failure: false (blah), at /home/ckerschb/source/mc/netwerk/cookie/nsCookieService.cpp:3495 0:49.92 GECKO(3480) #01: nsCookieService::CanSetCookie(nsIURI*, mozilla::net::nsCookieKey const&, nsCookieAttributes&, bool, CookieStatus, nsTDependentString<char>&, long, bool, bool, nsIChannel*, bool, bool&, mozIThirdPartyUtil*) (/home/ckerschb/source/mc/netwerk/cookie/nsCookieService.cpp:3495) 0:49.92 GECKO(3480) #02: nsCookieService::SetCookieInternal(nsIURI*, mozilla::net::nsCookieKey const&, bool, CookieStatus, nsTDependentString<char>&, long, bool, bool, bool, nsIChannel*) (/home/ckerschb/source/mc/netwerk/cookie/nsCookieService.cpp:3530) 0:49.92 GECKO(3480) #03: nsCookieService::SetCookieStringInternal(nsIURI*, bool, nsTDependentString<char>&, nsTString<char> const&, bool, bool, mozilla::OriginAttributes const&, nsIChannel*) (/home/ckerschb/source/mc/netwerk/cookie/nsCookieService.cpp:2221) 0:49.93 GECKO(3480) #04: mozilla::net::CookieServiceParent::RecvSetCookieString(mozilla::ipc::URIParams const&, bool const&, nsTString<char> const&, nsTString<char> const&, mozilla::OriginAttributes const&, bool const&) (/home/ckerschb/source/mc/netwerk/cookie/CookieServiceParent.cpp:274) 0:50.03 GECKO(3480) #05: mozilla::net::PCookieServiceParent::OnMessageReceived(IPC::Message const&) (/home/ckerschb/source/mc-obj-ff-dbg/ipc/ipdl/PCookieServiceParent.cpp:248) 0:50.03 GECKO(3480) #06: mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) (/home/ckerschb/source/mc-obj-ff-dbg/ipc/ipdl/PContentParent.cpp:3337) 0:50.05 GECKO(3480) #07: mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) (/home/ckerschb/source/mc/ipc/glue/MessageChannel.cpp:2135) 0:50.05 GECKO(3480) #08: mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) (/home/ckerschb/source/mc/ipc/glue/MessageCha
Attachment #8966327 -
Attachment is obsolete: true
Flags: needinfo?(ckerschb)
Comment 18•6 years ago
|
||
> where we create that dummy channel with about:blank as the URI OK. So if we expect this to not be about:blank, what is the stack to the corresponding SendSetCookieString? > Would it be an option to *always* compute I don't know; I'm not really familiar with the cookie or third-party service code.
Assignee | ||
Comment 19•6 years ago
|
||
(In reply to Boris Zbarsky [:bz] (no decent commit message means r-) from comment #18) > > where we create that dummy channel with about:blank as the URI > > OK. So if we expect this to not be about:blank, what is the stack to the > corresponding SendSetCookieString? Assertion failure: false (blah), at /home/ckerschb/source/mc/netwerk/cookie/CookieServiceChild.cpp:554 0:26.39 GECKO(9467) #01: mozilla::net::CookieServiceChild::SetCookieStringInternal(nsIURI*, nsIChannel*, char const*, char const*, bool) (/home/ckerschb/source/mc/netwerk/cookie/CookieServiceChild.cpp:554) 0:26.39 GECKO(9467) #02: mozilla::net::CookieServiceChild::SetCookieString(nsIURI*, nsIPrompt*, char const*, nsIChannel*) (/home/ckerschb/source/mc/netwerk/cookie/CookieServiceChild.cpp:648) 0:26.82 GECKO(9467) #03: nsHTMLDocument::SetCookie(nsTSubstring<char16_t> const&, mozilla::ErrorResult&) (/home/ckerschb/source/mc/dom/html/nsHTMLDocument.cpp:1171 (discriminator 1)) 0:26.88 GECKO(9467) #04: mozilla::dom::HTMLDocumentBinding::set_cookie(JSContext*, JS::Handle<JSObject*>, nsHTMLDocument*, JSJitSetterCallArgs) (/home/ckerschb/source/mc-obj-ff-dbg/dom/bindings/HTMLDocumentBinding.cpp:140) 0:26.91 GECKO(9467) #05: bool mozilla::dom::binding_detail::GenericSetter<mozilla::dom::binding_detail::NormalThisPolicy>(JSContext*, unsigned int, JS::Value*) (/home/ckerschb/source/mc/dom/bindings/BindingUtils.cpp:3135) 0:27.38 GECKO(9467) #06: js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) (/home/ckerschb/source/mc/js/src/vm/JSContext-inl.h:290) 0:27.38 GECKO(9467) #07: js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) (/home/ckerschb/source/mc/js/src/vm/Interpreter.cpp:467) 0:27.40 GECKO(9467) #08: InternalCall(JSContext*, js::AnyInvokeArgs const&) (/home/ckerschb/source/mc/js/src/vm/Interpreter.cpp:517) 0:27.40 GECKO(9467) #09: js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) (/home/ckerschb/source/mc/js/src/vm/Interpreter.cpp:535) 0:27.41 GECKO(9467) #10: js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) (/home/ckerschb/source/mc/js/src/vm/Interpreter.cpp:664) 0:27.66 GECKO(9467) #11: SetExistingProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyResult>, JS::ObjectOpResult&) (/home/ckerschb/source/mc/js/src/vm/NativeObject.cpp:2786) 0:27.67 GECKO(9467) #12: bool js::NativeSetProperty<(js::QualifiedBool)1>(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) (/home/ckerschb/source/mc/js/src/vm/NativeObject.cpp:2814) 0:28.30 GECKO(9467) #13: js::SetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) (/home/ckerschb/source/mc/js/src/vm/NativeObject.h:1658) 0:28.31 GECKO(9467) #14: js::SetPropertyIgnoringNamedGetter(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyDescriptor>, JS::ObjectOpResult&) (/home/ckerschb/source/mc/js/src/proxy/BaseProxyHandler.cpp:182) 0:28.32 GECKO(9467) #15: mozilla::dom::DOMProxyHandler::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) const (/home/ckerschb/source/mc/dom/bindings/DOMJSProxyHandler.cpp:220) 0:28.32 GECKO(9467) #16: js::Proxy::setInternal(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) (/home/ckerschb/source/mc/js/src/proxy/Proxy.cpp:403) 0:28.33 GECKO(9467) #17: js::Proxy::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) (/home/ckerschb/source/mc/js/src/proxy/Proxy.cpp:413) 0:28.34 GECKO(9467) #18: JSObject::nonNativeSetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) (/home/ckerschb/source/mc/js/src/vm/JSObject.cpp:1083) 0:28.35 GECKO(9467) #19: js::SetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) (/home/ckerschb/source/mc/js/src/vm/NativeObject.h:1656) 0:28.37 GECKO(9467) #20: SetPropertyOperation(JSContext*, JSOp, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::Handle<JS::Value>) (/home/ckerschb/source/mc/js/src/vm/Interpreter.cpp:264) 0:28.39 GECKO(9467) #21: Interpret(JSContext*, js::RunState&) (/home/ckerschb/source/mc/js/src/vm/Interpreter.cpp:2881) 0:28.40 GECKO(9467) #22: js::RunScript(JSContext*, js::RunState&) (/home/ckerschb/source/mc/js/src/vm/Interpreter.cpp:417) 0:28.40 GECKO(9467) #23: js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) (/home/ckerschb/source/mc/js/src/vm/Interpreter.cpp:700) 0:28.41 GECKO(9467) #24: js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) (/home/ckerschb/source/mc/js/src/vm/Interpreter.cpp:733) 0:28.43 GECKO(9467) #25: ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Value*) (/home/ckerschb/source/mc/js/src/jsapi.cpp:4702) 0:28.45 GECKO(9467) #26: ExecuteScript(JSContext*, JS::AutoVector<JSObject*>&, JS::Handle<JSScript*>, JS::Value*) (/home/ckerschb/source/mc/js/src/jsapi.cpp:4721) 0:28.46 GECKO(9467) #27: JS_ExecuteScript(JSContext*, JS::AutoVector<JSObject*>&, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) (/home/ckerschb/source/mc/js/src/jsapi.cpp:4743) 0:28.73 GECKO(9467) #28: nsJSUtils::ExecutionContext::CompileAndExec(JS::CompileOptions&, JS::SourceBufferHolder&, JS::MutableHandle<JSScript*>) (/home/ckerschb/source/mc/dom/base/nsJSUtils.cpp:268) 0:28.77 GECKO(9467) #29: mozilla::dom::ScriptLoader::EvaluateScript(mozilla::dom::ScriptLoadRequest*) (/home/ckerschb/source/mc/dom/script/ScriptLoader.cpp:2327) 0:28.78 GECKO(9467) #30: mozilla::dom::ScriptLoader::ProcessRequest(mozilla::dom::ScriptLoadRequest*) (/home/ckerschb/source/mc/dom/script/ScriptLoader.cpp:1956) 0:28.79 GECKO(9467) #31: mozilla::dom::ScriptLoader::ProcessInlineScript(nsIScriptElement*, mozilla::dom::ScriptKind) (/home/ckerschb/source/mc/dom/script/ScriptLoader.cpp:1595) 0:28.79 GECKO(9467) #32: mozilla::dom::ScriptLoader::ProcessScriptElement(nsIScriptElement*) (/home/ckerschb/source/mc/dom/script/ScriptLoader.cpp:1314) 0:28.80 GECKO(9467) #33: mozilla::dom::ScriptElement::MaybeProcessScript() (/home/ckerschb/source/mc/dom/script/ScriptElement.cpp:141) 0:28.91 GECKO(9467) #34: nsIScriptElement::AttemptToExecute() (/home/ckerschb/source/mc-obj-ff-dbg/dist/include/nsIScriptElement.h:247) 0:28.91 GECKO(9467) #35: nsHtml5TreeOpExecutor::RunScript(nsIContent*) (/home/ckerschb/source/mc/parser/html/nsHtml5TreeOpExecutor.cpp:739) 0:28.92 GECKO(9467) #36: nsHtml5TreeOpExecutor::RunFlushLoop() (/home/ckerschb/source/mc/parser/html/nsHtml5TreeOpExecutor.cpp:541) 0:28.93 GECKO(9467) #37: nsHtml5ExecutorFlusher::Run() (/home/ckerschb/source/mc/parser/html/nsHtml5StreamParser.cpp:123) 0:28.97 GECKO(9467) #38: mozilla::SchedulerGroup::Runnable::Run() (/home/ckerschb/source/mc/xpcom/threads/SchedulerGroup.cpp:337) 0:28.97 GECKO(9467) #39: nsThread::ProcessNextEvent(bool, bool*) (/home/ckerschb/source/mc/xpcom/threads/nsThread.cpp:1100) 0:28.99 GECKO(9467) #40: NS_ProcessNextEvent(nsIThread*, bool) (/home/ckerschb/source/mc/xpcom/threads/nsThreadUtils.cpp:519) 0:29.02 GECKO(9467) #41: mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) (/home/ckerschb/source/mc/ipc/glue/MessagePump.cpp:97) 0:29.02 GECKO(9467) #42: mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) (/home/ckerschb/source/mc/ipc/glue/MessagePump.cpp:302) 0:29.04 GECKO(9467) #43: MessageLoop::RunInternal() (/home/ckerschb/source/mc/ipc/chromium/src/base/message_loop.cc:327) 0:29.05 GECKO(9467) #44: MessageLoop::RunHandler() (/home/ckerschb/source/mc/ipc/chromium/src/base/message_loop.cc:320) 0:29.05 GECKO(9467) #45: MessageLoop::Run() (/home/ckerschb/source/mc/ipc/chromium/src/base/message_loop.cc:298) 0:29.08 GECKO(9467) #46: nsBaseAppShell::Run() (/home/ckerschb/source/mc/widget/nsBaseAppShell.cpp:159) 0:29.10 GECKO(9467) #47: XRE_RunAppShell() (/home/ckerschb/source/mc/toolkit/xre/nsEmbedFunctions.cpp:893) 0:29.11 GECKO(9467) #48: mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) (/home/ckerschb/source/mc/ipc/glue/MessagePump.cpp:269) 0:29.11 GECKO(9467) #49: MessageLoop::RunInternal() (/home/ckerschb/source/mc/ipc/chromium/src/base/message_loop.cc:327) 0:29.11 GECKO(9467) #50: MessageLoop::RunHandler() (/home/ckerschb/source/mc/ipc/chromium/src/base/message_loop.cc:320)
Assignee | ||
Comment 20•6 years ago
|
||
Are you suggesting serializing the ChannelURI and that use that URI to create the dummy Channel?
Comment 21•6 years ago
|
||
Oh, I see. We're passing in the "host uri" but that's the URI of the document, but creating the dummy channel with about:blank as the channel URI. Yes, we should be using the right channel URI here! That's what happens in the non-e10s case, no? What's happening here is that the document is creating a dummy channel with the right URI, and then the e10s cookie machinery is throwing it out, afaict.
Assignee | ||
Comment 22•6 years ago
|
||
(In reply to Boris Zbarsky [:bz] (no decent commit message means r-) from comment #21) > Oh, I see. We're passing in the "host uri" but that's the URI of the > document, but creating the dummy channel with about:blank as the channel URI. > > Yes, we should be using the right channel URI here! Since we are on it, should we also serialize other bits of the channel? ContentPolicyType? SecurityFlags? Or just the URI which is enough to make this particular test case work.
Comment 23•6 years ago
|
||
I don't know. Does the cookie service use those bits? If it does, it should probably not lose them when crossing the e10s boundary....
Assignee | ||
Comment 24•6 years ago
|
||
(In reply to Boris Zbarsky [:bz] (no decent commit message means r-) from comment #23) > I don't know. Does the cookie service use those bits? If it does, it > should probably not lose them when crossing the e10s boundary.... The cookie service does not ever query the loadinfo from the channel, hence I only serialized the channel URI which is then used to create the dummy channel. Would you be willing to review that change?
Attachment #8967091 -
Attachment is obsolete: true
Flags: needinfo?(valentin.gosu)
Flags: needinfo?(jduell.mcbugs)
Flags: needinfo?(francois)
Flags: needinfo?(dveditz)
Flags: needinfo?(dd.mozilla)
Attachment #8967111 -
Flags: review?(bzbarsky)
Comment 25•6 years ago
|
||
Comment on attachment 8966924 [details] [diff] [review] bug_1452496_discard_same_site_cookie_inline_script_tests.patch Review of attachment 8966924 [details] [diff] [review]: ----------------------------------------------------------------- I think we're good other than the fact that CROSS_ORIGIN looks fairly same-origin to me... ::: dom/security/test/general/test_same_site_cookies_from_script.html @@ +25,5 @@ > + > +SimpleTest.waitForExplicitFinish(); > + > +const SAME_ORIGIN = "http://example.com/"; > +const CROSS_ORIGIN = "http://example.com/"; Shouldn't SAME_ORIGIN and CROSS_ORIGIN differ?
Attachment #8966924 -
Flags: review?(mgoodwin) → review-
Assignee | ||
Comment 26•6 years ago
|
||
Comment on attachment 8967111 [details] [diff] [review] bug_1452496_discard_same_site_cookie.patch There is a little more to it actually, let me put everything in one patch!
Attachment #8967111 -
Attachment is obsolete: true
Attachment #8967111 -
Flags: review?(bzbarsky)
Assignee | ||
Comment 27•6 years ago
|
||
Rebased and some nits, carrying over r+ from mgoodwin!
Attachment #8966170 -
Attachment is obsolete: true
Attachment #8967275 -
Flags: review+
Assignee | ||
Comment 28•6 years ago
|
||
Separated the gtests which have already been r+ by dveditz within comment 5.
Attachment #8967276 -
Flags: review+
Assignee | ||
Comment 29•6 years ago
|
||
(In reply to Mark Goodwin [:mgoodwin] from comment #25) > Shouldn't SAME_ORIGIN and CROSS_ORIGIN differ? Indeed, I realized that shortly after uploading when testing my patch.
Attachment #8966924 -
Attachment is obsolete: true
Attachment #8967279 -
Flags: review?(mgoodwin)
Assignee | ||
Comment 30•6 years ago
|
||
Valentin, let me highlight and summarize the changes here: a) Within Bug 1286861 we introduced the concept of NS_IsTopLevelForeign() which checked the same-siteness for top-level loads. Within this bug I realized that 'aForeign' does not always return the right value, in particular for inline scripts. I realized that RequireThirdPartyCheck() quite often guards the calculation of the third-partyness. Since we are going to uplift same-site cookies to beta I don't want to risk any breakage and hence I changed NS_IsTopLevelForeign() to NS_IsSameSiteForeign() which not only checks for top-level third-partyness but *always* performs the third party check required for same site cookies. I added automated tests which got reviewed by Dan and Mgoodwin. b) Within RecvSetCookieString() we created a dummy channel using about:blank as the uri [1] instead of using the correct URI of the channel which also caused third-party checks to fail. I updated those bits and serialized the actual URI for the channel from child to parent. Here is a TRY run: https://treeherder.mozilla.org/#/jobs?repo=try&revision=b97b00759720b1eb54c732b808501452cb845b68 Thanks, Christoph [1] https://dxr.mozilla.org/mozilla-central/source/netwerk/cookie/CookieServiceParent.cpp#259-274
Attachment #8967281 -
Flags: review?(valentin.gosu)
Updated•6 years ago
|
Attachment #8967279 -
Flags: review?(mgoodwin) → review+
Comment 31•6 years ago
|
||
Comment on attachment 8967281 [details] [diff] [review] bug_1452496_discard_same_site_cookie.patch Review of attachment 8967281 [details] [diff] [review]: ----------------------------------------------------------------- Looks great!
Attachment #8967281 -
Flags: review?(valentin.gosu) → review+
Comment 32•6 years ago
|
||
Pushed by mozilla@christophkerschbaumer.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/453b91e427d6 Discard same-site cookie in cross site context. r=valentin https://hg.mozilla.org/integration/mozilla-inbound/rev/532a1bb332ba gtest for discarding same-site cookies in cross site context. r=dveditz https://hg.mozilla.org/integration/mozilla-inbound/rev/2b60b41eda62 Test for discarding same-site cookie in cross site context. r=mgoodwin https://hg.mozilla.org/integration/mozilla-inbound/rev/87b552f9c09b Test for discarding same-site cookies using inline scripts in cross origin context. r=mgoodwin
Assignee | ||
Comment 33•6 years ago
|
||
Comment on attachment 8967275 [details] [diff] [review] bug_1452496_discard_same_site_cookie_tests.patch Approval Request Comment [Feature/Bug causing the regression]: Bug 1452496 [User impact if declined]: same-site cookies in cross origin context are allowed to be set. [Is this code covered by automated tests?]: Yes [Has the fix been verified in Nightly?]: Not yet. [Needs manual test from QE? If yes, steps to reproduce]: No [List of other uplifts needed for the feature/fix]: Bug 1286861 needs to be applied before this patch. [Is the change risky?]: No [Why is the change risky/not risky?]: Only affects same-site cookies. [String changes made/needed]: no Patches should be applied in the following order: 0 U bug_1452496_discard_same_site_cookie: Bug 1452496: Discard same-site cookie in cross site context. r=valentin 1 U bug_1452496_discard_same_site_gtests: Bug 1452496: gtest for discarding same-site cookies in cross site context. r=dveditz 2 U bug_1452496_discard_same_site_cookie_tests: Bug 1452496: Test for discarding same-site cookie in cross site context. r=mgoodwin 3 U bug_1452496_discard_same_site_cookie_inline_script_tests: Bug 1452496: Test for discarding same-site cookies using inline scripts in cross origin.
Attachment #8967275 -
Flags: approval-mozilla-beta?
Assignee | ||
Comment 34•6 years ago
|
||
Comment on attachment 8967276 [details] [diff] [review] bug_1452496_discard_same_site_gtests.patch Approval Request Comment See comment 33
Attachment #8967276 -
Flags: approval-mozilla-beta?
Assignee | ||
Comment 35•6 years ago
|
||
Comment on attachment 8967279 [details] [diff] [review] bug_1452496_discard_same_site_cookie_inline_script_tests.patch Approval Request Comment See comment 33
Attachment #8967279 -
Flags: approval-mozilla-beta?
Assignee | ||
Comment 36•6 years ago
|
||
Comment on attachment 8967281 [details] [diff] [review] bug_1452496_discard_same_site_cookie.patch Approval Request Comment See comment 33
Attachment #8967281 -
Flags: approval-mozilla-beta?
Comment 37•6 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/453b91e427d6 https://hg.mozilla.org/mozilla-central/rev/532a1bb332ba https://hg.mozilla.org/mozilla-central/rev/2b60b41eda62 https://hg.mozilla.org/mozilla-central/rev/87b552f9c09b
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
status-firefox61:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla61
Comment 38•6 years ago
|
||
Comment on attachment 8967275 [details] [diff] [review] bug_1452496_discard_same_site_cookie_tests.patch followup for samesite cookies, approved for 60.0b13
Attachment #8967275 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
Updated•6 years ago
|
Attachment #8967276 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
Updated•6 years ago
|
Attachment #8967279 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
Updated•6 years ago
|
Attachment #8967281 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
Comment hidden (obsolete) |
Comment 40•6 years ago
|
||
Backed out for bustage. Looks like the newly-added gtest depends on bug 1439713, which is only on 61. Christoph, can you adjust the patch around that? https://treeherder.mozilla.org/logviewer.html#?job_id=173698593&repo=mozilla-beta
Flags: needinfo?(ckerschb)
Comment 41•6 years ago
|
||
backout |
https://hg.mozilla.org/releases/mozilla-beta/rev/12e79afb160d5574669e13664cbcac3c66375551
Assignee | ||
Comment 42•6 years ago
|
||
Ryan, you are right. All we have to do is use SEC_ALLOW_CROSS_ORIGIN_DATA_IS_NULL instead of SEC_ONLY_FOR_EXPLICIT_CONTENTSEC_CHECK. I updated that within this patch, ran TestCookie locally and everything should be fine now. Thanks!
Flags: needinfo?(ckerschb)
Comment 43•6 years ago
|
||
bugherder uplift |
https://hg.mozilla.org/releases/mozilla-beta/rev/84c492af301f https://hg.mozilla.org/releases/mozilla-beta/rev/7aa5a506eaa0 https://hg.mozilla.org/releases/mozilla-beta/rev/d367a7b18722 https://hg.mozilla.org/releases/mozilla-beta/rev/9f6f88626ac4
You need to log in
before you can comment on or make changes to this bug.
Description
•