Closed Bug 1637516 Opened 5 years ago Closed 4 years ago

Consider changing the key of StoragePrincipal from registrable domain (eTLD+1) to site

Categories

(Core :: Privacy: Anti-Tracking, task)

Product:
Core
Component:
Privacy: Anti-Tracking
Type:
task

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla78
Tracking Flags:
Tracking Status
firefox78 --- fixed

People

(Reporter: annevk, Assigned: xeonchen)

References

(Blocks 2 open bugs)

Details

Attachments

(3 files)

Bug 1637516 - part 1: refine functions for further update;
47 bytes, text/x-phabricator-request
Details | Review
Bug 1637516 - part 2: make first-party domain support site;
47 bytes, text/x-phabricator-request
Details | Review
Bug 1637516 - part 3: update tests;
47 bytes, text/x-phabricator-request
Details | Review

As mentioned in bug 1630868 this would be a better boundary as insecure and secure connections wouldn't share a key.

See https://html.spec.whatwg.org/#obtain-a-site for a formal definition of obtaining a site from an origin.

Addressing this before shipping in Nightly would prevent some database migration hassle as I understand it.

Do we plan to make this change apply to FPI? This may affect Tor Browser so we might need a separate pref for this?

That's bug 1630869. And yeah, we should not touch FPI I think.

This sounds like a lot of hassle for a bit unclear/what seems like minor security advantages. Can you add some more reasoning for this, considering that we have mixed content blocking? I feel like we may not want to spend our time on this for now.

Flags: needinfo?(annevk)

Note that if we have a different firstPartyDomain based on a pref we lose storage compat between FPI and dFPI and might need to do special casing in some places...

Though I'll admit that if we want to do this at all it's probably preferable to do it before shipping (maybe it's enough to address this before shipping to release).

But can't we just dupe this with bug 1630869 and resolve that one then?

If we don't do this and a website does not use HSTS + includSubDomains, network attackers have a pretty easy way to perform cache attacks on that website.

Our competitors are also pushing this meaning that not doing this would mean we're not standards compliant. I don't really care how we go about implementing it, but touching FPI would require a whole migration story as I understand it whereas only doing it for dFPI would not.

Flags: needinfo?(annevk)

If we don't do this and a website does not use HSTS + includSubDomains, network attackers have a pretty easy way to perform cache attacks on that website.

Is cache attacks really the thing to worry about on an insecure network with no HSTS?

Anyway, yeah, we should probably do it for standards compliance in any case.

We could consider just accepting the fact that we clear web storage for all FPI users. I'm really not a big fan of making the fPD attribute conditional...

The network is unsafe. And while websites are adopting HSTS, not all websites can set includeSubDomains. Currently these attacks are easier as we don't partition, but once we do this would be an easy step for an attacker to make to continue being able to do their attacks.

(In reply to Johann Hofmann [:johannh] from comment #5)

But can't we just dupe this with bug 1630869 and resolve that one then?

We can keep FPI/dFPI have the same behavior here, and (if necessary, ) use another pref to control whether we should use site or not.
The pref may keep some backward-compatibility for special cases, e.g. Tor Browser, and we can turn this pref on to use "site".

Depends on D75549

Assignee: nobody → xeonchen
Status: NEW → ASSIGNED

To be compatible with Fission, we should consider making this "site" info being hashed with salt to avoid leaking first-party domain info its children.
If we don't do this in this bug, it will require data migration in the future.

Currently all first-party domain info are stored and transmitted by plain-text, we're not sure how much effort it may take to achieve this goal.
Nika, could you give some advice to see if we need this now? Thanks!

Flags: needinfo?(nika)

In general we'd like to avoid having ancestor principals be visible in content processes. There are a couple of places we leak the information into remote subframes, such as through LoadInfo, and don't have any concrete near-term plans to get rid of those leaks, though we'd like to get rid of them in the future.

I don't want to block important work on getting our data leak story perfect, especially when we already have leaks of a similar kind in other code, so I think it's up to your judgement call as to whether it's better to do the easy thing now, and potentially need to do data migration and a redesign in the long-term, or to put in the extra work, and avoid this information leak and future migrations today.

Flags: needinfo?(nika)
Blocks: 1640939
Pushed by xeonchen@gmail.com: https://hg.mozilla.org/integration/autoland/rev/0c71a64381d2 part 1: refine functions for further update; r=timhuang,baku https://hg.mozilla.org/integration/autoland/rev/a77c31684931 part 2: make first-party domain support site; r=baku,timhuang https://hg.mozilla.org/integration/autoland/rev/9e1ecd2a9947 part 3: update tests; r=timhuang,baku

https://hg.mozilla.org/mozilla-central/rev/0c71a64381d2
https://hg.mozilla.org/mozilla-central/rev/a77c31684931
https://hg.mozilla.org/mozilla-central/rev/9e1ecd2a9947

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox78: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla78
See Also: → 1630869
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: