1557887 - Escape from partition by force-creating the initial about:blank document

Status: RESOLVED FIXED

(Core :: Privacy: Anti-Tracking, task)

Description

[(no longer active)]

We pass the wrong storage principal when creating a blank document in nsContentDLF::CreateBlankDocument. This causes third-party iframes to be able to have code like this which can access first-party storage:

let i = document.createElement("iframe");
i.src="about:blank";
document.body.appendChild(i);
i.contentWindow // creates the initial about:blank
 .indexedDB;    // accesses first-party storage

Comment 1

[(no longer active)]

Attachment: Bug 1557887 - Part 1: Add the browser.contentStoragePrincipal attribute;

Comment 2

[(no longer active)]

Attachment: Bug 1557887 - Part 2: Add the nsISHEntry.storagePrincipalToInherit attribute;

Comment 3

[(no longer active)]

Attachment: Bug 1557887 - Part 3: Extend nsIDocShell.createAboutBlankContentViewer() to accept a storage principal argument;

Comment 4

[(no longer active)]

Attachment: Bug 1557887 - Part 4: Port the browser.createAboutBlankContentViewer() API to the storage principal aware version of the docshell API;

Comment 5

[(no longer active)]

Attachment: Bug 1557887 - Part 5: Pass a storage principal argument through the browser loadURI()/addTab() APIs;

Comment 6

[(no longer active)]

Attachment: Bug 1557887 - Part 6: Pass a storage principal to the rest of the call sites for createAboutBlankContentViewer();

Comment 7

[(no longer active)]

Attachment: Bug 1557887 - Part 7: Ensure that the third-party checks in the anti-tracking backend do not fail in the presence of third-party about:blank URIs;

Comment 8

[(no longer active)]

Attachment: Bug 1557887 - Part 8: Ensure that third-party context partitioning doesn't fail for doubly+ nested iframes;

For the reject-tracker behaviour mode we only allow storage access
to singly nested tracker iframes per our heuristics or the storage
access API rules, but we don't want this behaviour for general
partitioning of third-party storage.

Comment 9

[(no longer active)]

Attachment: Bug 1557887 - Part 9: Ensure that anti-tracking checks do not fail with non-HTTP channels;

This is necessary in case we encounter an initial about:blank document channel
in our anti-tracking checks. Right now we get an nsInputStreamChannel which
causes us to bail out of the anti-tracking checks.

Comment 10

[(no longer active)]

Attachment: Bug 1557887 - Part 10: Prevent initial about:blank documents from escaping out of partitioned storage by using the correct storage principal when creating them;

Comment 11

[(no longer active)]

Attachment: Bug 1557887 - Part 11: Run the partitioning tests with third-party window objects that have loaded an initial about:blank document in addition to normal third-party window objects;

Comment 12

[BugBot [:suhaib / :marco/ :calixte]]

Bugbug thinks this bug is a task, but please change it back in case of error.

Comment 13

[Pulsebot]

Pushed by eakhgari@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/762351d3c242
Part 1: Add the browser.contentStoragePrincipal attribute; r=mconley
https://hg.mozilla.org/integration/autoland/rev/a81f25db2f60
Part 2: Add the nsISHEntry.storagePrincipalToInherit attribute; r=baku
https://hg.mozilla.org/integration/autoland/rev/934849c71795
Part 3: Extend nsIDocShell.createAboutBlankContentViewer() to accept a storage principal argument; r=baku
https://hg.mozilla.org/integration/autoland/rev/d291a18dd7b9
Part 4: Port the browser.createAboutBlankContentViewer() API to the storage principal aware version of the docshell API; r=baku
https://hg.mozilla.org/integration/autoland/rev/5c23b9ba930f
Part 5: Pass a storage principal argument through the browser loadURI()/addTab() APIs; r=baku,mconley
https://hg.mozilla.org/integration/autoland/rev/33144e1ff5ab
Part 6: Pass a storage principal to the rest of the call sites for createAboutBlankContentViewer(); r=baku
https://hg.mozilla.org/integration/autoland/rev/cb76a6d08dac
Part 7: Ensure that the third-party checks in the anti-tracking backend do not fail in the presence of third-party about:blank URIs; r=baku
https://hg.mozilla.org/integration/autoland/rev/6bc9f19f7edd
Part 8: Ensure that third-party context partitioning doesn't fail for doubly+ nested iframes; r=baku
https://hg.mozilla.org/integration/autoland/rev/6f92c507abed
Part 9: Ensure that anti-tracking checks do not fail with non-HTTP channels; r=baku
https://hg.mozilla.org/integration/autoland/rev/b6a2568c9bd0
Part 10: Prevent initial about:blank documents from escaping out of partitioned storage by using the correct storage principal when creating them; r=baku
https://hg.mozilla.org/integration/autoland/rev/4a63f0a3a1f2
Part 11: Run the partitioning tests with third-party window objects that have loaded an initial about:blank document in addition to normal third-party window objects; r=baku

Comment 14

[Andrei Ciure[:aciure]]

https://hg.mozilla.org/mozilla-central/rev/762351d3c242
https://hg.mozilla.org/mozilla-central/rev/a81f25db2f60
https://hg.mozilla.org/mozilla-central/rev/934849c71795
https://hg.mozilla.org/mozilla-central/rev/d291a18dd7b9
https://hg.mozilla.org/mozilla-central/rev/5c23b9ba930f
https://hg.mozilla.org/mozilla-central/rev/33144e1ff5ab
https://hg.mozilla.org/mozilla-central/rev/cb76a6d08dac
https://hg.mozilla.org/mozilla-central/rev/6bc9f19f7edd
https://hg.mozilla.org/mozilla-central/rev/6f92c507abed
https://hg.mozilla.org/mozilla-central/rev/b6a2568c9bd0
https://hg.mozilla.org/mozilla-central/rev/4a63f0a3a1f2