sessionStorage is not covered by the StoragePrincipal, and thus not isolated by dfpi
Categories
(Core :: Privacy: Anti-Tracking, defect, P2)
Tracking
()
Tracking | Status | |
---|---|---|
firefox77 | --- | fixed |
People
(Reporter: englehardt, Assigned: xeonchen, NeedInfo)
References
(Blocks 1 open bug)
Details
Attachments
(3 files)
In Dynamic FPI we expect access to built-in interfaces to return the new storage jar after storage access has been granted (and before the page is refreshed). That appears to happen for cookies and localStorage, but does not happen for sessionStorage (and possibly not IndexedDB).
STR:
- In a fresh profile go to https://senglehardt.com/test/dfpi/first_and_third.html
- Refresh the page. Notice that a stable value is set in all four storage locations for the englehardt-tracker.com iframe on the right
- Click the "here" button to activate the storage access heuristic. Close the popup.
- Click the "re-run" button in the englehardt-tracker.com iframe.
ER: All four storages now use their first-party storage.
AR: document.cookie and window.localStorage are the first-party storage locations, but window.sessionStorage still uses the isolated storage location. Note that the underlying code is simply calling window.sessionStorage
, so it isn't using a local reference to the old storage location.
You'll note the same is true for IndexedDB, but I suspect the library I'm using in that test page is keeping a reference to the old DB around (https://www.npmjs.com/package/idb-keyval). Still worth testing.
Reporter | ||
Updated•4 years ago
|
Reporter | ||
Comment 1•4 years ago
|
||
Chatting with baku offline, this happens because we don't use the StoragePrincipal with sessionStorage. So what's happening here is StoragePrincipal drops double keying on all supported storage locations in step (3). Then, once we reload the page the storage access causes us to swap to a new sessionStorage location.
I think we should use StoragePrincipal with sessionStorage, or at the very least double-key it similar to FPI. As of right now, sessionStorage is a cross-site tracking vulnerability. See https://senglehardt.com/test/dfpi/page_with_popup.html. check the sessionStorage value there, and then click "here" to navigate to another top-level origin that embeds the same iframe (senglehardt.netlify.app). Note that sessionStorage is consistent between the two top-level origins because the documents are loaded in the same tab and session storage is tab-scoped.
I tested consistency across navigations in Safari and found the same (i.e., the embedded iframe has the same sessionStorage on two different top-level origins). I plan to file a webkit bug to check whether that's intentional.
Reporter | ||
Comment 2•4 years ago
|
||
(In reply to Steven Englehardt [:englehardt] from comment #1)
I tested consistency across navigations in Safari and found the same (i.e., the embedded iframe has the same sessionStorage on two different top-level origins). I plan to file a webkit bug to check whether that's intentional.
Filed here: https://bugs.webkit.org/show_bug.cgi?id=210776
Reporter | ||
Updated•4 years ago
|
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Comment 3•4 years ago
|
||
Assignee | ||
Comment 4•4 years ago
|
||
Depends on D72764
Assignee | ||
Comment 5•4 years ago
|
||
Pushed by xeonchen@gmail.com: https://hg.mozilla.org/integration/autoland/rev/7c476d4cd03b make `SessionStorage` support `StoragePrincipal`; r=baku https://hg.mozilla.org/integration/autoland/rev/11c210a4ae9f add `IntrinsicStoragePrincipal` to `nsIScriptObjectPrincipal`; r=baku https://hg.mozilla.org/integration/autoland/rev/e6c0259e3688 use `StoragePrincipal` for `SessionStorage`; r=baku
Comment 8•4 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/7c476d4cd03b
https://hg.mozilla.org/mozilla-central/rev/11c210a4ae9f
https://hg.mozilla.org/mozilla-central/rev/e6c0259e3688
Updated•4 years ago
|
Comment 9•4 years ago
|
||
Hi Steven,
Can you please explain what exactly should I see and where to check it after clicking on "rerun"?
After I closed the tab that opened and clicked on "rerun" the values of the "foo" didn't change, checking it in the Devtool Storage side also didn't reveal any changes for me.
Description
•