1629707 - sessionStorage is not covered by the StoragePrincipal, and thus not isolated by dfpi

Status: RESOLVED FIXED

(Core :: Privacy: Anti-Tracking, defect, P2)

Description

[Steven Englehardt [:englehardt]]

In Dynamic FPI we expect access to built-in interfaces to return the new storage jar after storage access has been granted (and before the page is refreshed). That appears to happen for cookies and localStorage, but does not happen for sessionStorage (and possibly not IndexedDB).

STR:

1. In a fresh profile go to https://senglehardt.com/test/dfpi/first_and_third.html
2. Refresh the page. Notice that a stable value is set in all four storage locations for the englehardt-tracker.com iframe on the right
3. Click the "here" button to activate the storage access heuristic. Close the popup.
4. Click the "re-run" button in the englehardt-tracker.com iframe.

ER: All four storages now use their first-party storage.

AR: document.cookie and window.localStorage are the first-party storage locations, but window.sessionStorage still uses the isolated storage location. Note that the underlying code is simply calling window.sessionStorage, so it isn't using a local reference to the old storage location.

You'll note the same is true for IndexedDB, but I suspect the library I'm using in that test page is keeping a reference to the old DB around (https://www.npmjs.com/package/idb-keyval). Still worth testing.

Comment 1

[Steven Englehardt [:englehardt]]

Chatting with baku offline, this happens because we don't use the StoragePrincipal with sessionStorage. So what's happening here is StoragePrincipal drops double keying on all supported storage locations in step (3). Then, once we reload the page the storage access causes us to swap to a new sessionStorage location.

I think we should use StoragePrincipal with sessionStorage, or at the very least double-key it similar to FPI. As of right now, sessionStorage is a cross-site tracking vulnerability. See https://senglehardt.com/test/dfpi/page_with_popup.html. check the sessionStorage value there, and then click "here" to navigate to another top-level origin that embeds the same iframe (senglehardt.netlify.app). Note that sessionStorage is consistent between the two top-level origins because the documents are loaded in the same tab and session storage is tab-scoped.

I tested consistency across navigations in Safari and found the same (i.e., the embedded iframe has the same sessionStorage on two different top-level origins). I plan to file a webkit bug to check whether that's intentional.

Comment 2

[Steven Englehardt [:englehardt]]

(In reply to Steven Englehardt [:englehardt] from comment #1)

I tested consistency across navigations in Safari and found the same (i.e., the embedded iframe has the same sessionStorage on two different top-level origins). I plan to file a webkit bug to check whether that's intentional.

Filed here: https://bugs.webkit.org/show_bug.cgi?id=210776

Comment 3

[Gary Chen [:xeonchen]]

Attachment: Bug 1629707 - make `SessionStorage` support `StoragePrincipal`;

Comment 4

[Gary Chen [:xeonchen]]

Attachment: Bug 1629707 - use `StoragePrincipal` for `SessionStorage`;

Depends on D72764

Comment 5

[Gary Chen [:xeonchen]]

Attachment: Bug 1629707 - add `IntrinsicStoragePrincipal` to `nsIScriptObjectPrincipal`;

Comment 7

[Pulsebot]

Pushed by xeonchen@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/7c476d4cd03b
make `SessionStorage` support `StoragePrincipal`; r=baku
https://hg.mozilla.org/integration/autoland/rev/11c210a4ae9f
add `IntrinsicStoragePrincipal` to `nsIScriptObjectPrincipal`; r=baku
https://hg.mozilla.org/integration/autoland/rev/e6c0259e3688
use `StoragePrincipal` for `SessionStorage`; r=baku

Comment 8

[Cristian Brindusan [:cbrindusan]]

https://hg.mozilla.org/mozilla-central/rev/7c476d4cd03b
https://hg.mozilla.org/mozilla-central/rev/11c210a4ae9f
https://hg.mozilla.org/mozilla-central/rev/e6c0259e3688

Comment 9

[Timea Cernea [:tbabos][inactive]]

Hi Steven,
Can you please explain what exactly should I see and where to check it after clicking on "rerun"?
After I closed the tab that opened and clicked on "rerun" the values of the "foo" didn't change, checking it in the Devtool Storage side also didn't reveal any changes for me.