Open
Bug 1475811
Opened 4 years ago
Updated 6 months ago
Entering URLs in address bar violates FPI
Categories
(Firefox :: Address Bar, enhancement, P5)
Firefox
Address Bar
Tracking
()
NEW
People
(Reporter: arthur, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: [tor 26353][dfpi-ok])
In Tor Browser, we observed that first-party isolation was violated by a speculative connect when the user entered a URL or search term in the address bar. The line causing this was here: https://dxr.mozilla.org/mozilla-esr60/rev/dd52b41d2b775e5c7261ce52795268b7670635fc/toolkit/components/remotebrowserutils/RemoteWebNavigation.js#92 It seems the principal is null, and therefore no firstPartyDomain is assigned. For a visit to a new site, the firstPartyDomain should be assigned to the URL entered by the user. For a search string, the firstPartyDomain should be assigned to the search engine domain. However, I'm not sure where the patch should go: whether it should be local, or if a principal needs to be generated and passed upstream of this function.
Updated•4 years ago
|
Priority: -- → P5
Comment 1•2 years ago
|
||
IIUC, this issue would be FPI only since dFPI doesn't fill firstPartyDomain field for top-level requests.
Whiteboard: [tor 26353] → [tor 26353][dfpi-ok]
You need to log in
before you can comment on or make changes to this bug.
Description
•