Add same-site cookie test for about:blank and about:srcdoc

RESOLVED FIXED in Firefox 61

Status

()

enhancement
P1
normal
RESOLVED FIXED
Last year
Last year

People

(Reporter: ckerschb, Assigned: ckerschb)

Tracking

(Blocks 1 bug)

unspecified
mozilla61
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox61 fixed)

Details

(Whiteboard: [domsecurity-active])

Attachments

(1 attachment, 1 obsolete attachment)

No description provided.
Assignee: nobody → ckerschb
Status: NEW → ASSIGNED
Priority: -- → P1
Whiteboard: [domsecurity-active]
Hey Dan, as far as I understand this is the behavior we are expecting fro about:srcdoc and about:blank which both inherit the security context.

If the including context is same-origin, then we grant access to same site cookies and if the including context is cross-origin, then we do not grant access to same site cookies.
Attachment #8968645 - Flags: review?(dveditz)
It's not exactly the "including context", it's the effective script origin. That's usually the same thing though, and in any case should be correct if you get it from the channel. see bug 802895 comment 18
Comment on attachment 8968645 [details] [diff] [review]
bug_1454721_test_same_site_about.patch

Review of attachment 8968645 [details] [diff] [review]:
-----------------------------------------------------------------

This looks good as a loading test so let's land it. I think we also need equivalent navigation tests as well to make sure we don't look at navigation from about:srcdoc and say that's cross-origin. That is
   parent
      <iframe about:...>
          onload -> document.location = cookie-testing site

Where parent is SAME-SITE and CROSS-SITE, and the frame is about:srcdoc and about:blank. Basically the cases you test here except with a navigation instead of a sub-frame.

r=dveditz
Attachment #8968645 - Flags: review?(dveditz) → review+
(In reply to Daniel Veditz [:dveditz] from comment #3)
> Where parent is SAME-SITE and CROSS-SITE, and the frame is about:srcdoc and
> about:blank. Basically the cases you test here except with a navigation
> instead of a sub-frame.

Yeah, that makes sense. I extended the tests to not only include sub-frame inclusion but also navigational tests.

Carrying over r+ from dveditz!
Attachment #8968645 - Attachment is obsolete: true
Attachment #8968824 - Flags: review+
Pushed by mozilla@christophkerschbaumer.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/8306e1afdb9b
Add same-site cookie test for about:blank and about:srcdoc. r=dveditz
https://hg.mozilla.org/mozilla-central/rev/8306e1afdb9b
Status: ASSIGNED → RESOLVED
Closed: Last year
Resolution: --- → FIXED
Target Milestone: --- → mozilla61
You need to log in before you can comment on or make changes to this bug.