Open Bug 1475811 Opened 4 years ago Updated 6 months ago

Entering URLs in address bar violates FPI

Categories

(Firefox :: Address Bar, enhancement, P5)

enhancement

Tracking

()

People

(Reporter: arthur, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [tor 26353][dfpi-ok])

In Tor Browser, we observed that first-party isolation was violated by a speculative connect when the user entered a URL or search term in the address bar. The line causing this was here:

https://dxr.mozilla.org/mozilla-esr60/rev/dd52b41d2b775e5c7261ce52795268b7670635fc/toolkit/components/remotebrowserutils/RemoteWebNavigation.js#92

It seems the principal is null, and therefore no firstPartyDomain is assigned. For a visit to a new site, the firstPartyDomain should be assigned to the URL entered by the user. For a search string, the firstPartyDomain should be assigned to the search engine domain.

However, I'm not sure where the patch should go: whether it should be local, or if a principal needs to be generated and passed upstream of this function.
Priority: -- → P5

IIUC, this issue would be FPI only since dFPI doesn't fill firstPartyDomain field for top-level requests.

Whiteboard: [tor 26353] → [tor 26353][dfpi-ok]
You need to log in before you can comment on or make changes to this bug.