Closed Bug 1557887 Opened 6 years ago Closed 6 years ago

Escape from partition by force-creating the initial about:blank document

Categories

(Core :: Privacy: Anti-Tracking, task)

task
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla69
Tracking Status
firefox69 --- fixed

People

(Reporter: ehsan.akhgari, Assigned: ehsan.akhgari)

References

(Blocks 1 open bug)

Details

Attachments

(11 files)

47 bytes, text/x-phabricator-request
Details | Review
47 bytes, text/x-phabricator-request
Details | Review
47 bytes, text/x-phabricator-request
Details | Review
47 bytes, text/x-phabricator-request
Details | Review
47 bytes, text/x-phabricator-request
Details | Review
47 bytes, text/x-phabricator-request
Details | Review
47 bytes, text/x-phabricator-request
Details | Review
47 bytes, text/x-phabricator-request
Details | Review
47 bytes, text/x-phabricator-request
Details | Review
47 bytes, text/x-phabricator-request
Details | Review
47 bytes, text/x-phabricator-request
Details | Review

We pass the wrong storage principal when creating a blank document in nsContentDLF::CreateBlankDocument. This causes third-party iframes to be able to have code like this which can access first-party storage:

let i = document.createElement("iframe");
i.src="about:blank";
document.body.appendChild(i);
i.contentWindow // creates the initial about:blank
 .indexedDB;    // accesses first-party storage

For the reject-tracker behaviour mode we only allow storage access
to singly nested tracker iframes per our heuristics or the storage
access API rules, but we don't want this behaviour for general
partitioning of third-party storage.

This is necessary in case we encounter an initial about:blank document channel
in our anti-tracking checks. Right now we get an nsInputStreamChannel which
causes us to bail out of the anti-tracking checks.

Bugbug thinks this bug is a task, but please change it back in case of error.

Type: defect → task
Blocks: 1558969
Pushed by eakhgari@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/762351d3c242 Part 1: Add the browser.contentStoragePrincipal attribute; r=mconley https://hg.mozilla.org/integration/autoland/rev/a81f25db2f60 Part 2: Add the nsISHEntry.storagePrincipalToInherit attribute; r=baku https://hg.mozilla.org/integration/autoland/rev/934849c71795 Part 3: Extend nsIDocShell.createAboutBlankContentViewer() to accept a storage principal argument; r=baku https://hg.mozilla.org/integration/autoland/rev/d291a18dd7b9 Part 4: Port the browser.createAboutBlankContentViewer() API to the storage principal aware version of the docshell API; r=baku https://hg.mozilla.org/integration/autoland/rev/5c23b9ba930f Part 5: Pass a storage principal argument through the browser loadURI()/addTab() APIs; r=baku,mconley https://hg.mozilla.org/integration/autoland/rev/33144e1ff5ab Part 6: Pass a storage principal to the rest of the call sites for createAboutBlankContentViewer(); r=baku https://hg.mozilla.org/integration/autoland/rev/cb76a6d08dac Part 7: Ensure that the third-party checks in the anti-tracking backend do not fail in the presence of third-party about:blank URIs; r=baku https://hg.mozilla.org/integration/autoland/rev/6bc9f19f7edd Part 8: Ensure that third-party context partitioning doesn't fail for doubly+ nested iframes; r=baku https://hg.mozilla.org/integration/autoland/rev/6f92c507abed Part 9: Ensure that anti-tracking checks do not fail with non-HTTP channels; r=baku https://hg.mozilla.org/integration/autoland/rev/b6a2568c9bd0 Part 10: Prevent initial about:blank documents from escaping out of partitioned storage by using the correct storage principal when creating them; r=baku https://hg.mozilla.org/integration/autoland/rev/4a63f0a3a1f2 Part 11: Run the partitioning tests with third-party window objects that have loaded an initial about:blank document in addition to normal third-party window objects; r=baku
Depends on: 1565047
Depends on: 1565052
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: