Escape from partition by force-creating the initial about:blank document
Categories
(Core :: Privacy: Anti-Tracking, task)
Tracking
()
Tracking | Status | |
---|---|---|
firefox69 | --- | fixed |
People
(Reporter: ehsan.akhgari, Assigned: ehsan.akhgari)
References
(Blocks 1 open bug)
Details
Attachments
(11 files)
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review | |
Bug 1557887 - Part 5: Pass a storage principal argument through the browser loadURI()/addTab() APIs;
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review |
We pass the wrong storage principal when creating a blank document in nsContentDLF::CreateBlankDocument
. This causes third-party iframes to be able to have code like this which can access first-party storage:
let i = document.createElement("iframe");
i.src="about:blank";
document.body.appendChild(i);
i.contentWindow // creates the initial about:blank
.indexedDB; // accesses first-party storage
Assignee | ||
Comment 1•5 years ago
|
||
Assignee | ||
Comment 2•5 years ago
|
||
Assignee | ||
Comment 3•5 years ago
|
||
Assignee | ||
Comment 4•5 years ago
|
||
Assignee | ||
Comment 5•5 years ago
|
||
Assignee | ||
Comment 6•5 years ago
|
||
Assignee | ||
Comment 7•5 years ago
|
||
Assignee | ||
Comment 8•5 years ago
|
||
For the reject-tracker behaviour mode we only allow storage access
to singly nested tracker iframes per our heuristics or the storage
access API rules, but we don't want this behaviour for general
partitioning of third-party storage.
Assignee | ||
Comment 9•5 years ago
|
||
This is necessary in case we encounter an initial about:blank document channel
in our anti-tracking checks. Right now we get an nsInputStreamChannel which
causes us to bail out of the anti-tracking checks.
Assignee | ||
Comment 10•5 years ago
|
||
Assignee | ||
Comment 11•5 years ago
|
||
Comment 12•5 years ago
|
||
Comment 13•5 years ago
|
||
Pushed by eakhgari@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/762351d3c242 Part 1: Add the browser.contentStoragePrincipal attribute; r=mconley https://hg.mozilla.org/integration/autoland/rev/a81f25db2f60 Part 2: Add the nsISHEntry.storagePrincipalToInherit attribute; r=baku https://hg.mozilla.org/integration/autoland/rev/934849c71795 Part 3: Extend nsIDocShell.createAboutBlankContentViewer() to accept a storage principal argument; r=baku https://hg.mozilla.org/integration/autoland/rev/d291a18dd7b9 Part 4: Port the browser.createAboutBlankContentViewer() API to the storage principal aware version of the docshell API; r=baku https://hg.mozilla.org/integration/autoland/rev/5c23b9ba930f Part 5: Pass a storage principal argument through the browser loadURI()/addTab() APIs; r=baku,mconley https://hg.mozilla.org/integration/autoland/rev/33144e1ff5ab Part 6: Pass a storage principal to the rest of the call sites for createAboutBlankContentViewer(); r=baku https://hg.mozilla.org/integration/autoland/rev/cb76a6d08dac Part 7: Ensure that the third-party checks in the anti-tracking backend do not fail in the presence of third-party about:blank URIs; r=baku https://hg.mozilla.org/integration/autoland/rev/6bc9f19f7edd Part 8: Ensure that third-party context partitioning doesn't fail for doubly+ nested iframes; r=baku https://hg.mozilla.org/integration/autoland/rev/6f92c507abed Part 9: Ensure that anti-tracking checks do not fail with non-HTTP channels; r=baku https://hg.mozilla.org/integration/autoland/rev/b6a2568c9bd0 Part 10: Prevent initial about:blank documents from escaping out of partitioned storage by using the correct storage principal when creating them; r=baku https://hg.mozilla.org/integration/autoland/rev/4a63f0a3a1f2 Part 11: Run the partitioning tests with third-party window objects that have loaded an initial about:blank document in addition to normal third-party window objects; r=baku
Comment 14•5 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/762351d3c242
https://hg.mozilla.org/mozilla-central/rev/a81f25db2f60
https://hg.mozilla.org/mozilla-central/rev/934849c71795
https://hg.mozilla.org/mozilla-central/rev/d291a18dd7b9
https://hg.mozilla.org/mozilla-central/rev/5c23b9ba930f
https://hg.mozilla.org/mozilla-central/rev/33144e1ff5ab
https://hg.mozilla.org/mozilla-central/rev/cb76a6d08dac
https://hg.mozilla.org/mozilla-central/rev/6bc9f19f7edd
https://hg.mozilla.org/mozilla-central/rev/6f92c507abed
https://hg.mozilla.org/mozilla-central/rev/b6a2568c9bd0
https://hg.mozilla.org/mozilla-central/rev/4a63f0a3a1f2
Description
•