Closed Bug 1552376 Opened 6 years ago Closed 3 years ago

shared + service workers throw a SecurityError when cookie lifetime policy = 2

Categories

(Core :: DOM: Service Workers, defect, P3)

Product:
Core
Component:
DOM: Service Workers
Version:
68 Branch
Type:
defect

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: thorin, Unassigned)

References

Details

Attachments

(1 file)

67-vanilla.png
37.42 KB, image/png
Details
Attached image 67-vanilla.png

User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0

Steps to reproduce:

STR: In a vanilla profile in FF67 and in FF68 (the STR does not occur in FF66)

  • Load the test page [1], and check the tests for shared worker and service worker: they will both say "success" (don't worry about the subsequent tests)
  • Go to about:preferences#privacy, Cookies & Site Data, and tick "delete cookies & site data when FF closes"
  • ^^ this is the same as setting network.cookie.lifetimePolicy to 2 (default is 0)
  • Open the console and clear it
  • Refresh (F5) the test page
  • Check the two worker tests: they will now both say failed: SecurityError

Actual results:

see above

Expected results:

I would expect shared/service workers to be allowed (as cookies are allowed) and functional, as clearing data on close is a sanitizing procedure, rather than a security one.

Or is this by design?

Flags: needinfo?(jhofmann)

Might help if I provide the test page: https://ghacksuserjs.github.io/TorZillaPrint/TorZillaPrint.html#cookies

Has STR: --- → yes
Component: Untriaged → DOM: Service Workers
Product: Firefox → Core

I feel like a long time ago I saw a bug discussing this behavior, but I can't remember where it is now. Maybe baku knows what's up here?

Flags: needinfo?(jhofmann) → needinfo?(amarchesini)

Correction (now I've had some sleep), this also happens in 65 and 66. FF64 has the pref, but not the UI. So that's when it the change kicked in.

SharedWorkers are currently allowed in Ci.nsICookieService.ACCEPT_SESSION mode. This has changed during the implementation of StoragePrincipal, if I remember correctly.

About ServiceWorkers, they are not allowed, and I don't see any good reason to do so
https://searchfox.org/mozilla-central/rev/0078b9e7d42c366b102d7aec918caf64fed1d574/dom/serviceworkers/ServiceWorker.cpp#184-190

We can probably allow them too. The change is trivial, but I would like to see if asuth has a different opinion.

Flags: needinfo?(amarchesini) → needinfo?(bugmail)

That's bug 1413615 and we can implement it now. It's marked as dependent upon bug 1183245 which would be nice to fix but is not actually necessary to fix given how :baku implemented bug 1400678.

Flags: needinfo?(bugmail)
Severity: normal → S3

FWIW pretty sure shared workers is "fixed", it's just service workers these days.

Paul, this can be closed now that network.cookie.lifetimePolicy is deprecated in Bug 1759665. Unless you wanted to change the title and keep it around for cases when websites set session cookies, or edge cases of users changing a site exception to Allow for Session

Flags: needinfo?(pbz)

Given that we're removing the cookie lifetime policy I think we can close this bug. :asuth, could you please confirm?

Flags: needinfo?(pbz) → needinfo?(bugmail)

Yes, bug 1413615 is still relevant but this specific bug can be resolved. Since the specific bug criteria is no longer relevant, I'm going to mark this invalid but I would like to express this was a very valid bug to file at the time and I appreciate that it was filed!

Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Flags: needinfo?(bugmail)
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: