Open Bug 1475811 Opened 7 years ago Updated 8 months ago

Entering URLs in address bar violates FPI

Categories

(Core :: DOM: Navigation, enhancement, P5)

Product:
Core
Component:
DOM: Navigation
Type:
enhancement

Tracking

()

People

(Reporter: arthur, Assigned: pierov)

References

(Blocks 2 open bugs)

Details

(Whiteboard: [tor 26353][tor 31075][dfpi-ok])

Attachments

(1 file)

patch
1.33 KB, patch
Details | Diff | Splinter Review
In Tor Browser, we observed that first-party isolation was violated by a speculative connect when the user entered a URL or search term in the address bar. The line causing this was here: https://dxr.mozilla.org/mozilla-esr60/rev/dd52b41d2b775e5c7261ce52795268b7670635fc/toolkit/components/remotebrowserutils/RemoteWebNavigation.js#92 It seems the principal is null, and therefore no firstPartyDomain is assigned. For a visit to a new site, the firstPartyDomain should be assigned to the URL entered by the user. For a search string, the firstPartyDomain should be assigned to the search engine domain. However, I'm not sure where the patch should go: whether it should be local, or if a principal needs to be generated and passed upstream of this function.
Priority: -- → P5

IIUC, this issue would be FPI only since dFPI doesn't fill firstPartyDomain field for top-level requests.

Whiteboard: [tor 26353] → [tor 26353][dfpi-ok]
Attached patch patchSplinter Review

Hello!
I think this patch could solve the behavior you described in comment 0.
However, I am not sure on how to test it the correct way.
I have written a small hello world webapp to simulate third-party cookies, and with FPI enabled it work as expected.
However, I am not sure on how to catch any problem caused by the speculative connection.
Could you please tell me how you observed the violation in the first place?
We think that Tor Browser is not affected even without your original patch, because speculative connections are blocked when a proxy is used, if we understood correctly.
So, I am testing with Firefox, to try to understand what the wrong behavior would look like.

Thanks!

Assignee: nobody → pierov
Flags: needinfo?(arthuredelstein)

Redirect a needinfo that is pending on an inactive user to the triage owner.
:adw, since the bug has recent activity, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(arthuredelstein) → needinfo?(adw)

If the speculative connection being reported here is in RemoteWebNavigation, then this is downstream of the address bar. The address bar hands off to openTrustedLinkIn() to load URIs.

So I don't think the Address Bar component is well suited to handle this bug -- I know I'm not, and I don't know the answer to the question in comment 2 about how to test the patch in Firefox. Based on blame around the relevant lines in RemoteWebNavigation, it looks like Core :: DOM: Navigation might be a better component.

Component: Address Bar → DOM: Navigation
Flags: needinfo?(adw)
Product: Firefox → Core
Severity: normal → S3

Not sure if the same thing, but I've seen incorrect partitionKey behavior in predictive connections in Bug 1951466.

Blocks: tor-uplift-esr140
See Also: → 1951466, https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/31075, https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/26353
Whiteboard: [tor 26353][dfpi-ok] → [tor 26353][tor 31075][dfpi-ok]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: