Closed Bug 1557887 Opened 2 years ago Closed 2 years ago

Escape from partition by force-creating the initial about:blank document

Categories

(Core :: Privacy: Anti-Tracking, task)

task
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla69
Tracking Status
firefox69 --- fixed

People

(Reporter: ehsan, Assigned: ehsan)

References

(Blocks 1 open bug)

Details

Attachments

(11 files)

47 bytes, text/x-phabricator-request
Details | Review
47 bytes, text/x-phabricator-request
Details | Review
47 bytes, text/x-phabricator-request
Details | Review
47 bytes, text/x-phabricator-request
Details | Review
47 bytes, text/x-phabricator-request
Details | Review
47 bytes, text/x-phabricator-request
Details | Review
47 bytes, text/x-phabricator-request
Details | Review
47 bytes, text/x-phabricator-request
Details | Review
47 bytes, text/x-phabricator-request
Details | Review
47 bytes, text/x-phabricator-request
Details | Review
47 bytes, text/x-phabricator-request
Details | Review

We pass the wrong storage principal when creating a blank document in nsContentDLF::CreateBlankDocument. This causes third-party iframes to be able to have code like this which can access first-party storage:

let i = document.createElement("iframe");
i.src="about:blank";
document.body.appendChild(i);
i.contentWindow // creates the initial about:blank
 .indexedDB;    // accesses first-party storage

For the reject-tracker behaviour mode we only allow storage access
to singly nested tracker iframes per our heuristics or the storage
access API rules, but we don't want this behaviour for general
partitioning of third-party storage.

This is necessary in case we encounter an initial about:blank document channel
in our anti-tracking checks. Right now we get an nsInputStreamChannel which
causes us to bail out of the anti-tracking checks.

Bugbug thinks this bug is a task, but please change it back in case of error.

Type: defect → task
Blocks: 1558969
Pushed by eakhgari@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/762351d3c242
Part 1: Add the browser.contentStoragePrincipal attribute; r=mconley
https://hg.mozilla.org/integration/autoland/rev/a81f25db2f60
Part 2: Add the nsISHEntry.storagePrincipalToInherit attribute; r=baku
https://hg.mozilla.org/integration/autoland/rev/934849c71795
Part 3: Extend nsIDocShell.createAboutBlankContentViewer() to accept a storage principal argument; r=baku
https://hg.mozilla.org/integration/autoland/rev/d291a18dd7b9
Part 4: Port the browser.createAboutBlankContentViewer() API to the storage principal aware version of the docshell API; r=baku
https://hg.mozilla.org/integration/autoland/rev/5c23b9ba930f
Part 5: Pass a storage principal argument through the browser loadURI()/addTab() APIs; r=baku,mconley
https://hg.mozilla.org/integration/autoland/rev/33144e1ff5ab
Part 6: Pass a storage principal to the rest of the call sites for createAboutBlankContentViewer(); r=baku
https://hg.mozilla.org/integration/autoland/rev/cb76a6d08dac
Part 7: Ensure that the third-party checks in the anti-tracking backend do not fail in the presence of third-party about:blank URIs; r=baku
https://hg.mozilla.org/integration/autoland/rev/6bc9f19f7edd
Part 8: Ensure that third-party context partitioning doesn't fail for doubly+ nested iframes; r=baku
https://hg.mozilla.org/integration/autoland/rev/6f92c507abed
Part 9: Ensure that anti-tracking checks do not fail with non-HTTP channels; r=baku
https://hg.mozilla.org/integration/autoland/rev/b6a2568c9bd0
Part 10: Prevent initial about:blank documents from escaping out of partitioned storage by using the correct storage principal when creating them; r=baku
https://hg.mozilla.org/integration/autoland/rev/4a63f0a3a1f2
Part 11: Run the partitioning tests with third-party window objects that have loaded an initial about:blank document in addition to normal third-party window objects; r=baku
Depends on: 1565047
Depends on: 1565052
You need to log in before you can comment on or make changes to this bug.