Closed
Bug 1454721
Opened 7 years ago
Closed 7 years ago
Add same-site cookie test for about:blank and about:srcdoc
Categories
(Core :: DOM: Security, enhancement, P1)
Core
DOM: Security
Tracking
()
RESOLVED
FIXED
mozilla61
| Tracking | Status | |
|---|---|---|
| firefox61 | --- | fixed |
People
(Reporter: ckerschb, Assigned: ckerschb)
References
Details
(Whiteboard: [domsecurity-active])
Attachments
(1 file, 1 obsolete file)
|
9.67 KB,
patch
|
ckerschb
:
review+
|
Details | Diff | Splinter Review |
No description provided.
|
Assignee | |
Updated•7 years ago
|
Blocks: samesite-cookies
|
|
Assignee | |
Updated•7 years ago
|
Assignee: nobody → ckerschb
Status: NEW → ASSIGNED
Priority: -- → P1
Whiteboard: [domsecurity-active]
|
|
Assignee | |
Comment 1•7 years ago
|
||
Hey Dan, as far as I understand this is the behavior we are expecting fro about:srcdoc and about:blank which both inherit the security context.
If the including context is same-origin, then we grant access to same site cookies and if the including context is cross-origin, then we do not grant access to same site cookies.
Attachment #8968645 -
Flags: review?(dveditz)
|
||
Comment 2•7 years ago
|
||
It's not exactly the "including context", it's the effective script origin. That's usually the same thing though, and in any case should be correct if you get it from the channel. see bug 802895 comment 18
|
|
||
Comment 3•7 years ago
|
||
Comment on attachment 8968645 [details] [diff] [review]
bug_1454721_test_same_site_about.patch
Review of attachment 8968645 [details] [diff] [review]:
-----------------------------------------------------------------
This looks good as a loading test so let's land it. I think we also need equivalent navigation tests as well to make sure we don't look at navigation from about:srcdoc and say that's cross-origin. That is
parent
<iframe about:...>
onload -> document.location = cookie-testing site
Where parent is SAME-SITE and CROSS-SITE, and the frame is about:srcdoc and about:blank. Basically the cases you test here except with a navigation instead of a sub-frame.
r=dveditz
Attachment #8968645 -
Flags: review?(dveditz) → review+
|
|
Assignee | |
Comment 4•7 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #3)
> Where parent is SAME-SITE and CROSS-SITE, and the frame is about:srcdoc and
> about:blank. Basically the cases you test here except with a navigation
> instead of a sub-frame.
Yeah, that makes sense. I extended the tests to not only include sub-frame inclusion but also navigational tests.
Carrying over r+ from dveditz!
Attachment #8968645 -
Attachment is obsolete: true
Attachment #8968824 -
Flags: review+
Pushed by mozilla@christophkerschbaumer.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/8306e1afdb9b
Add same-site cookie test for about:blank and about:srcdoc. r=dveditz
|
||
Comment 6•7 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
status-firefox61:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla61
You need to log in
before you can comment on or make changes to this bug.
Description
•