Escape from partition by force-creating the initial about:blank document
Categories
(Core :: Privacy: Anti-Tracking, task)
Tracking
()
Tracking | Status | |
---|---|---|
firefox69 | --- | fixed |
People
(Reporter: ehsan.akhgari, Assigned: ehsan.akhgari)
References
(Blocks 1 open bug)
Details
Attachments
(11 files)
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review | |
Bug 1557887 - Part 5: Pass a storage principal argument through the browser loadURI()/addTab() APIs;
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review |
We pass the wrong storage principal when creating a blank document in nsContentDLF::CreateBlankDocument
. This causes third-party iframes to be able to have code like this which can access first-party storage:
let i = document.createElement("iframe");
i.src="about:blank";
document.body.appendChild(i);
i.contentWindow // creates the initial about:blank
.indexedDB; // accesses first-party storage
Assignee | ||
Comment 1•6 years ago
|
||
Assignee | ||
Comment 2•6 years ago
|
||
Assignee | ||
Comment 3•6 years ago
|
||
Assignee | ||
Comment 4•6 years ago
|
||
Assignee | ||
Comment 5•6 years ago
|
||
Assignee | ||
Comment 6•6 years ago
|
||
Assignee | ||
Comment 7•6 years ago
|
||
Assignee | ||
Comment 8•6 years ago
|
||
For the reject-tracker behaviour mode we only allow storage access
to singly nested tracker iframes per our heuristics or the storage
access API rules, but we don't want this behaviour for general
partitioning of third-party storage.
Assignee | ||
Comment 9•6 years ago
|
||
This is necessary in case we encounter an initial about:blank document channel
in our anti-tracking checks. Right now we get an nsInputStreamChannel which
causes us to bail out of the anti-tracking checks.
Assignee | ||
Comment 10•6 years ago
|
||
Assignee | ||
Comment 11•6 years ago
|
||
Comment 12•6 years ago
|
||
Comment 13•6 years ago
|
||
Comment 14•6 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/762351d3c242
https://hg.mozilla.org/mozilla-central/rev/a81f25db2f60
https://hg.mozilla.org/mozilla-central/rev/934849c71795
https://hg.mozilla.org/mozilla-central/rev/d291a18dd7b9
https://hg.mozilla.org/mozilla-central/rev/5c23b9ba930f
https://hg.mozilla.org/mozilla-central/rev/33144e1ff5ab
https://hg.mozilla.org/mozilla-central/rev/cb76a6d08dac
https://hg.mozilla.org/mozilla-central/rev/6bc9f19f7edd
https://hg.mozilla.org/mozilla-central/rev/6f92c507abed
https://hg.mozilla.org/mozilla-central/rev/b6a2568c9bd0
https://hg.mozilla.org/mozilla-central/rev/4a63f0a3a1f2
Description
•