Closed Bug 1630796 Opened 2 years ago Closed 2 years ago

Dynamic FPI introduces an inconsistent storage jar for users with privacy.firstparty.isolate=true

Categories

(Core :: Privacy: Anti-Tracking, defect, P2)

defect

Tracking

()

RESOLVED WONTFIX

People

(Reporter: englehardt, Unassigned)

References

(Blocks 1 open bug)

Details

STR:

  1. In a fresh Nightly profile set privacy.firstparty.isolate=true.
  2. Go to https://senglehardt.com/test/dfpi/storage_access_api.html. Note the values set in the englehardt-tracker.com iframe.
  3. In another tab set network.cookie.cookieBehavior=5
  4. Refresh the tab with the test page. Note that storage locations for localStorage and sessionStorage values in the englehardt-tracker.com iframe are now different, leading to the test page setting new values for those locations.
  5. Click the "here" button below the englehardt-tracker.com iframe. This actives the storage access permission for englehardt-tracker.com, relaxing dfpi.
  6. Refresh the test page once more. Note that the localStorage and sessionStorage values are back to what they were in step (2).

So dfpi swaps to a different storage jar for some storage locations covered by the StoragePrincipal, but not others. I suspect this might introduce some bugs for FPI users.

Perhaps this is an artifact of FPI not including scheme?

(In reply to Tom Ritter [:tjr] (OOTO until 5/1?) from comment #1)

Perhaps this is an artifact of FPI not including scheme?

Looks like this was partially caused by Bug 1630763. I just retested and localStorage no longer changes when a storage access permission was granted. We still see sessionStorage swapping out, but that will probably be fixed by Bug 1629707. Let's keep this open and revisit after Bug 1629707 lands.

(In reply to Steven Englehardt [:englehardt] from comment #2)

(In reply to Tom Ritter [:tjr] (OOTO until 5/1?) from comment #1)

Perhaps this is an artifact of FPI not including scheme?

Looks like this was partially caused by Bug 1630763. I just retested and localStorage no longer changes when a storage access permission was granted. We still see sessionStorage swapping out, but that will probably be fixed by Bug 1629707. Let's keep this open and revisit after Bug 1629707 lands.

I've re-tested this now that Bug 1629707 has landed and we do still see a swapping of the sessionStorage jar after a storage access exception is granted. I think this is inevitable based on the fix we settled on for sessionStorage under dFPI. We could consider special casing this when both DFPI and FPI are enabled. Instead, we've decided to figure out a path to disabling dFPI when FPI is active (Bug 1631676). Closing this in favor of that.

Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.