Moving GetPermission to parent to get correct top level principal when fission enabled
Categories
(Core :: DOM: Security, task, P3)
Tracking
()
Tracking | Status | |
---|---|---|
firefox79 | --- | fixed |
People
(Reporter: tnguyen, Assigned: timhuang)
References
(Blocks 2 open bugs)
Details
(Whiteboard: [domsecurity-active])
Attachments
(5 files)
AFAIK, in several places, we may use top principal from subframe cross process. Unfortunately, the top principal we are getting could be null. It would be ok if we only use the result of getTopLevelPrincipal to compute cross-origin (we got null means we are in cross-origin cross-process). However, if we use that top-level principal, for example do security/permission check, the result will be wrong.
We probably have to do some IPC with getTopLevelPrincipal and need to audit all the usage of getTopLevelPrincipal
Reporter | ||
Comment 1•5 years ago
|
||
Reporter | ||
Updated•5 years ago
|
Reporter | ||
Updated•5 years ago
|
Reporter | ||
Updated•5 years ago
|
Comment 2•5 years ago
|
||
(In reply to Thomas Nguyen (:tnguyen) ni? plz from comment #0)
We probably have to do some IPC with getTopLevelPrincipal and need to audit all the usage of getTopLevelPrincipal
I believe the rest of the usages are for bug 1576291, FWIW...
Updated•5 years ago
|
Comment 3•5 years ago
|
||
It seems that loadinfo->GetTopLevelPrincipal() should still work because we don't compute the information but rather pass the information down the inheritance tree whenever we create a new loadinfo object.
Comment 4•5 years ago
|
||
The line from comment 1 also caused an issue without Fission ( bug 1589754 ) because it is null for top-level documents.
Currently, some "GetTopLevelPrincipal" methods return a principal of the top-level documents, others return null, and some others have different return values depending on whether Fission is enabled.
At least for permission-related code, "topLevelPrincipal" is expected to be non-null, e.g. at
https://searchfox.org/mozilla-central/rev/55aa17110091deef24b913d033ccaf58f9c6d337/dom/base/nsContentPermissionHelper.cpp#518,521,549
Here is an example where the value is expected to be non-null, but would be null with Fission enabled:
https://searchfox.org/mozilla-central/rev/55aa17110091deef24b913d033ccaf58f9c6d337/dom/html/HTMLMediaElement.cpp#6829,6837
(this example is dead code, by the way. I'll remove it in bug 1590417 ).
Is it in scope of this bug to ensure that topLevelPrincipal is always non-null, without exceptions?
Reporter | ||
Comment 5•5 years ago
•
|
||
Hi Nika, from bug 1589754 comment 7 I got topLevelPrincipal from loadinfo and it seems to be correct from cross-process document. Is that something unexpected and we need to fix it? Or I can rely on this to do further check
Comment 6•5 years ago
|
||
Any code which exposes the principal of a cross-process document into your process is buggy, and we should be fixing it at some point. We don't want to be leaking that information into content processes. It would be good to file a bug about topLevelPrincipal
being non-null for cross-process loadInfos.
This method, in general, is quite flawed. We cannot provide an implementation of it in the content process in a post fission world. Code which wants to do checks like this should do one of a couple of things:
- If the principal which we want to compare with the TopLevelPrincipal is for an in-process document, the absence of a toplevel principal indicates that they don't match
- If the principals we want to compare don't correspond to resources in this process, the parent process needs to handle doing the comparison for us.
Reporter | ||
Comment 7•5 years ago
|
||
(In reply to :Nika Layzell (ni? for response) from comment #6)
Any code which exposes the principal of a cross-process document into your process is buggy, and we should be fixing it at some point. We don't want to be leaking that information into content processes. It would be good to file a bug about
topLevelPrincipal
being non-null for cross-process loadInfos.This method, in general, is quite flawed. We cannot provide an implementation of it in the content process in a post fission world. Code which wants to do checks like this should do one of a couple of things:
- If the principal which we want to compare with the TopLevelPrincipal is for an in-process document, the absence of a toplevel principal indicates that they don't match
- If the principals we want to compare don't correspond to resources in this process, the parent process needs to handle doing the comparison for us.
Thanks for confirming. So in this case of permission delegation (using topPrincipal to do permission check, store and retrieve), I will move all these tasks into parent.
Comment 8•5 years ago
|
||
Tentatively moving all bugs whose summaries mention "Fission" (or other Fission-related keywords) but are not assigned to a Fission Milestone to the "?" triage milestone.
This will generate a lot of bugmail, so you can filter your bugmail for the following UUID and delete them en masse:
0ee3c76a-bc79-4eb2-8d12-05dc0b68e732
Reporter | ||
Comment 9•5 years ago
•
|
||
I will take this bug, but I would narrow down the bug to fix top level principal in permision delegation, by moving the getPermission to parent.
Another moving of getting top principal to parent is in patch https://phabricator.services.mozilla.com/D53261
Reporter | ||
Updated•5 years ago
|
Reporter | ||
Updated•5 years ago
|
Reporter | ||
Comment 10•5 years ago
|
||
Updated•5 years ago
|
Updated•5 years ago
|
Updated•5 years ago
|
Comment 11•5 years ago
|
||
There's a r+ patch which didn't land and no activity in this bug for 2 weeks.
:tnguyen, could you have a look please?
For more information, please visit auto_nag documentation.
Reporter | ||
Updated•5 years ago
|
Reporter | ||
Comment 12•5 years ago
|
||
I tried to land but failed because it requires IPC peer to review. Asking for review in IPC modules
Comment 13•5 years ago
|
||
Temporarily reassigning these DOM Security Fission bugs to ckerschb for re-triage.
Updated•5 years ago
|
Updated•5 years ago
|
Comment 14•5 years ago
|
||
I just checked in it seems e.g. test browser_permission_delegate_geo.js which makes this a valid bug. I guess this one needs an owner.
Comment 15•5 years ago
|
||
Thomas Nguyen said (in bug 1582999 comment 15) that his fix for this bug will also fix test_cross_origin_iframe.html bug 1582999.
Comment 16•5 years ago
|
||
Tim said he can pick that one up once he is done with some ETP fission work.
Updated•5 years ago
|
Assignee | ||
Comment 18•5 years ago
|
||
I think ETP is no longer using the top-level principal in the content processes. So, we can focus on the permission delegation that Thomas pointed out in comment 1.
I believe that we don't need to move the checking of the delegated permission to the parent process. It would be hard to do that since some delegated permissions do checks in a sync manner, such as the vibration
permission. Given the fact that we prefer not to have a sync IPC, it would be very difficult to implement.
As an alternative, I proposed that we pre-compute all delegated permissions in the top-level window and store the results as a flag in the WindowContext of the top-level window. When we need to do the permission delegation, we can directly check the flag in the top-level WindowContext. And we keep the flag up-to-date once the permissions get updated. By doing this, we don't need the top-level principal and the permission delegation can still work for those requiring a sync operation.
Assignee | ||
Comment 19•4 years ago
|
||
In order to delegate the permission to the top-level window, in this
patch, we pre-compute the permissions of the top-level context and set
them to the top-level WindowContext. So, the cross-origin iframe can
know the permission of the top-level window through the WindowContext.
Thus, the permission can be delegated in Fission.
Assignee | ||
Comment 20•4 years ago
|
||
Depends on D79132
Assignee | ||
Comment 21•4 years ago
|
||
Depends on D79133
Assignee | ||
Comment 22•4 years ago
|
||
Depends on D79134
Comment 23•4 years ago
|
||
Comment 24•4 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/44e715808901
https://hg.mozilla.org/mozilla-central/rev/a2bec965260d
https://hg.mozilla.org/mozilla-central/rev/4e6d8f786f87
https://hg.mozilla.org/mozilla-central/rev/fd202991fa01
Description
•