Open Bug 1475811 Opened 4 years ago Updated 6 months ago
Entering URLs in address bar violates FPI
In Tor Browser, we observed that first-party isolation was violated by a speculative connect when the user entered a URL or search term in the address bar. The line causing this was here: https://dxr.mozilla.org/mozilla-esr60/rev/dd52b41d2b775e5c7261ce52795268b7670635fc/toolkit/components/remotebrowserutils/RemoteWebNavigation.js#92 It seems the principal is null, and therefore no firstPartyDomain is assigned. For a visit to a new site, the firstPartyDomain should be assigned to the URL entered by the user. For a search string, the firstPartyDomain should be assigned to the search engine domain. However, I'm not sure where the patch should go: whether it should be local, or if a principal needs to be generated and passed upstream of this function.
Whiteboard: [tor 26353] → [tor 26353][dfpi-ok]
You need to log in before you can comment on or make changes to this bug.