1628936 - The devools storage inspector does not show isolated cookies when dfpi is active

Status: RESOLVED FIXED

(DevTools :: Storage Inspector, defect, P3)

Description

[Steven Englehardt [:englehardt]]

Dynamic First Party Isolation (Bug 1549587) isolates third-party storage by double keying the storage using the First-Party origin attribute. When dfpi is active, the Storage Panel does not show isolated cookies with the exception of the first time they are set.

STR:

1. In a fresh profile set network.cookie.cookieBehavior = 5
2. Visit https://senglehardt.com/test/dfpi/first_and_third.html. You'll see cookies, localstorage, session storage, and indexed db data written for three iframes from separate origins.
3. Open the Storage Panel and note that all storage locations show the expected results.
4. Refresh the page. No new storage is set. Instead, storage is read from all locations.
5. Open the Storage Panel and switch between the origins listed under "Cookies". Note that englehardt-tracker.com is empty

ER:

• The storage panel displays the active storage area for all storage locations

AR:

• No cookies for the isolated origin (englehardt-tracker.com) when storage is only read during the page visit. This does not reproduce when the storage location is not isolated.

Comment 1

[Julian Descottes [:jdescottes]]

Thanks for filing!

I don't have exactly the same STRs, for me englehardt-tracker.com is empty even for the first visit (when the page reads Cookies not yet set, setting a new cookie...)

Comment 2

[Firefox Bug Husbandry Bot]

Because this bug's Severity has not been changed from the default since it was filed, and it's Priority is P3 (Backlog,) indicating it has been triaged, the bug's Severity is being updated to S3 (normal.)

Comment 3

[Paul Zühlcke [:pbz]]

The issue is here: https://searchfox.org/mozilla-central/rev/4415bec7a49c50a338167d9c8934527b9cae59d0/devtools/server/actors/storage.js#642
Cookies are queried from Services.cookies by host and OriginAttributes. For subframes the host for this call is correct, however the origin attributes are retrieved from the wrong storage principal. They come from this.storageActor.document.effectiveStoragePrincipal.originAttributes, which is the top level storage principal.

We can probably get the correct origin attributes via this.storageActor.getWindowFromHost(host).document.effectiveStoragePrincipal.originAttributes (Where host is the hostname of the frame).

Comment 4

[Paul Zühlcke [:pbz]]

Attachment: Bug 1628936 - [devtools] Use the correct storage principal for handling cookies. r=ladybenko

For iframes it's important that we use the correct storage principal when interacting with cookies.
With dFPI enabled the origin attributes of third party contexts are different from the top ones.
This led to situations where we didn't show any cookies for storage isolated third party frames.

Comment 5

[Pulsebot]

Pushed by pzuhlcke@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/fc32d902cd48
[devtools] Use the correct storage principal for handling cookies. r=ladybenko

Comment 6

[Alexandru Michis [:malexandru]]

https://hg.mozilla.org/mozilla-central/rev/fc32d902cd48

Comment 7

[Paul Zühlcke [:pbz]]

While testing I ran into this bug again. It only breaks with dFPI enabled, see original STR in comment 0.

mozregression led me to Bug 1700904:

 6:52.58 INFO: Last good revision: 6a97950a60a6daa2275c776c817c764143806c4d
 6:52.58 INFO: First bad revision: 751d66c96a08b33f4e5b0b9dfcc29ce7bc7b2afb
 6:52.58 INFO: Pushlog:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=6a97950a60a6daa2275c776c817c764143806c4d&tochange=751d66c96a08b33f4e5b0b9dfcc29ce7bc7b2afb

Belén, could you take a look?

Comment 8

[Paul Zühlcke [:pbz]]

Seems like this also affects indexedDB. localStorage and sessionStorage work fine.

Comment 9

[Paul Zühlcke [:pbz]]

We should add a test case to make sure we don't regress again.

Comment 10

[Julian Descottes [:jdescottes]]

If that's ok, I'd prefer to treat the regression as a separate record (bug 1721131).