Closed Bug 1597726 Opened 5 months ago Closed 2 months ago

Properly isolate LocalStorage from SessionStorage when storage partitioning is active

Categories

(Core :: Storage: localStorage & sessionStorage, defect, P1)

defect

Tracking

()

RESOLVED FIXED
mozilla74
Tracking Status
firefox74 --- fixed

People

(Reporter: ehsan, Assigned: xeonchen)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

The solution implemented in bug 1558420 makes localStorage work like sessionStorage when storage partitioning is active, but it also makes them actually come from the same namespace, which probably makes their contents leak into each other.

We should investigate whether that's actually true (I haven't tested it but based on the way the code is written it's got to be) and fix it if it is.

Component: DOM: Core & HTML → Storage: localStorage & sessionStorage
Priority: -- → P1
Assignee: nobody → xeonchen
Status: NEW → ASSIGNED

Based on GenerateOriginKey, SessionStorageCache is not double keyed when privacy.firstparty.isolate is disabled, i.e. aOriginAttrSuffix is an empty string.

To fix this, we may need to keep first party domain information regardless FPI pref state.

Pushed by xeonchen@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/5f9acc76d590
use storage principal to generate origin key; r=Ehsan
Status: ASSIGNED → RESOLVED
Closed: 2 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla74
You need to log in before you can comment on or make changes to this bug.