Closed Bug 1476324 Opened 2 years ago Closed 2 years ago

Storage activation via window.open(URL) applies across top-level domains

Categories

(Firefox :: Security, enhancement)

enhancement
Not set

Tracking

()

RESOLVED FIXED
Firefox 63
Tracking Status
firefox63 --- fixed

People

(Reporter: englehardt, Assigned: baku)

References

(Blocks 1 open bug)

Details

Attachments

(3 files)

As part of the new cookie restrictions (Bug 1473978) we implemented a storage activation heuristic based on the use of window.open by the opening document (Bug 1474651). This heuristic is intended to allow storage access for the target of the window.open call only on the opening document's site. Instead, it appears to enable storage access for that third party on all first parties.

Steps to reproduce:

With a fresh profile, visit:

https://senglehardt.com/test/identity_providers/facebook.html

and

https://www.cs.princeton.edu/~ste/test/identity_providers/facebook.html

In both cases no cookies should be sent in requests to Facebook.

Click "Login In" on senglehardt.com.
Refresh the princeton.edu tab.

You should now see cookies sent to Facebook on the princeton.edu page.
Blocks: 1474651
Attached patch part 2 - testsSplinter Review
Assignee: nobody → amarchesini
Attachment #8992757 - Flags: review?(ehsan)
Attachment #8992758 - Flags: review?(ehsan)
Attachment #8992758 - Flags: review?(ehsan) → review+
Attachment #8992757 - Flags: review?(ehsan) → review+
Currently we annotate only 3rd party channels. We must annotate also top-level channels because we need to grant the first party storage permission if a top-level non-tracking page does a window.open(tracker) and the user interacts with that tracker page.
Attachment #8992870 - Flags: review?(francois)
Comment on attachment 8992870 [details] [diff] [review]
part 3 - annotate top-level channel

Review of attachment 8992870 [details] [diff] [review]:
-----------------------------------------------------------------

Stealing!
Attachment #8992870 - Flags: review?(francois) → review+
Pushed by amarchesini@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/48dbdb55cabe
Storage activation via window.open(URL) applies across top-level domains - part 1 - window.open() from top-level, r=ehsan
https://hg.mozilla.org/integration/mozilla-inbound/rev/2272ac475d49
Storage activation via window.open(URL) applies across top-level domains - part 2 - tests, r=ehsan
https://hg.mozilla.org/integration/mozilla-inbound/rev/1b81fd5d2002
Storage activation via window.open(URL) applies across top-level domains - part 3 - annotate top-level channels, r=ehsan
Depends on: 1476715
You need to log in before you can comment on or make changes to this bug.