Add a test to make sure "Save Page As" respect First-Party Isolation

RESOLVED FIXED in Firefox 66

Status

()

enhancement
P5
normal
RESOLVED FIXED
8 months ago
6 months ago

People

(Reporter: arthur, Assigned: timhuang)

Tracking

(Blocks 1 bug)

unspecified
Firefox 66
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox66 fixed)

Details

(Whiteboard: [tor 22343])

Attachments

(1 attachment, 2 obsolete attachments)

In Tor Browser, we introduced a patch to isolate a number of "Saving" options by first-party. Namely:

* File menu:
  - Save Page As
* Context menu in content pages:
  - Save Page As
  - Save Image As
  - Save Video As
  - Save Link As
  - Save Frame As
* Page Info "Media" Panel:
  - Save As

This involves ensuring the request channel has the correct principal (and OriginAttribute) so that we get proper stream isolation.

We'd like to propose uplifting this patch to Firefox.

Current Tor Browser patch:
https://torpat.ch/22343
Original Tor ticket:
https://trac.torproject.org/22343
Priority: -- → P3
Priority: P3 → P5

I believe that all "Save ... As" has followed OAs after bug 1469916. But it still doesn't have a test case for them.

Assignee: nobody → tihuang
Summary: "Save Page As" should respect First-Party Isolation → Add a test to make sure "Save Page As" respect First-Party Isolation
This patch adds a test case which tests following "Save ... As" options:

* File menu:
  - Save Page As
* Context menu in content pages:
  - Save Page As
  - Save Image As
  - Save Video As
  - Save Link As
  - Save Frame As
* Page Info "Media" Panel:
  - Save As

It triggers the save process and checks if the OA of the saving channel
has the correct first party domain.
Attachment #9036290 - Flags: review?(richard)
Attachment #9036290 - Flags: review?(amarchesini)
Comment on attachment 9036290 [details] [diff] [review]
Add a test case for assuring all "Save ... As" options honor the first party domain. r=baku,richard@torproject.org

Review of attachment 9036290 [details] [diff] [review]:
-----------------------------------------------------------------

::: browser/components/originattributes/test/browser/browser_firstPartyIsolation_saveAs.js
@@ +62,5 @@
> +});
> +
> +function createTemporarySaveDirectory() {
> +  let saveDir = Services.dirsvc.get("TmpD", Ci.nsIFile);
> +  saveDir.append("testsavedir");

saveDir.creatUnique(Ci.nsIFile.DIRECTORY_TYPE, 0o755);

without checking the existence.
Attachment #9036290 - Flags: review?(amarchesini) → review+
Comment on attachment 9036290 [details] [diff] [review]
Add a test case for assuring all "Save ... As" options honor the first party domain. r=baku,richard@torproject.org

Review of attachment 9036290 [details] [diff] [review]:
-----------------------------------------------------------------

Looks good to me
Attachment #9036290 - Flags: review?(richard) → review+
Attachment #9036290 - Attachment is obsolete: true
Attachment #9037921 - Attachment is obsolete: true

Pushed by csabou@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/0f709682e4a0
Add a test case for assuring all "Save ... As" options honor the first party domain. r=baku,richard@torproject.org

Keywords: checkin-needed
Status: NEW → RESOLVED
Closed: 6 months ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 66
You need to log in before you can comment on or make changes to this bug.