Open Bug 1475811 Opened 4 years ago Updated 6 months ago

Entering URLs in address bar violates FPI


(Firefox :: Address Bar, enhancement, P5)





(Reporter: arthur, Unassigned)


(Blocks 1 open bug)


(Whiteboard: [tor 26353][dfpi-ok])

In Tor Browser, we observed that first-party isolation was violated by a speculative connect when the user entered a URL or search term in the address bar. The line causing this was here:

It seems the principal is null, and therefore no firstPartyDomain is assigned. For a visit to a new site, the firstPartyDomain should be assigned to the URL entered by the user. For a search string, the firstPartyDomain should be assigned to the search engine domain.

However, I'm not sure where the patch should go: whether it should be local, or if a principal needs to be generated and passed upstream of this function.
Priority: -- → P5

IIUC, this issue would be FPI only since dFPI doesn't fill firstPartyDomain field for top-level requests.

Whiteboard: [tor 26353] → [tor 26353][dfpi-ok]
You need to log in before you can comment on or make changes to this bug.