downloads.download() excludes non-first party cookies when the extension lacks host permissions
Categories
(WebExtensions :: Request Handling, defect, P2)
Tracking
(firefox80 fixed, firefox81 fixed)
People
(Reporter: robwu, Assigned: robwu)
References
Details
Attachments
(1 file)
47 bytes,
text/x-phabricator-request
|
jcristau
:
approval-mozilla-release+
|
Details | Review |
After a long journey of broken behavior (https://bugzilla.mozilla.org/show_bug.cgi?id=1621249#c7), the downloads.download
API does now consistently include cookies in requests when it has host permissions for the downloaded URL.
When the extension lacks host permissions, then cookies can still be missing (e.g. SameSite=Strict cookies, URLs blocked by tracking protection and when third-party cookies are disabled altogether).
This behavior is the result of the logic that determines whether a request is third-party. It makes a special exception for moz-extension when the extension has host permissions for the requested URL.
If we want to lift this limitation, we could use the strategy suggested in bug 1583715.
- Pro of removing restriction: Extensions that only want to issue a download won't need host permissions.
- Con of removing restriction: Extensions can generate first-party requests without host permissions.
Assignee | ||
Comment 1•4 years ago
|
||
We are inclined to remove the restriction.
It's a small fix (bug 1583715), need a unit test and set that one property.
Assignee | ||
Comment 2•4 years ago
|
||
The internal Download API and the downloads API for extensions trigger
download requests on behalf of users. These should be considered
first-party requests, and therefore not be restricted by sameSite cookie
restrictions or tracking protection.
This patch has two components:
-
Ensure that triggeringPrincipal is always the system principal, to
make sure thatBasePrincipal::IsThirdPartyChannel
returns false
when called byCookieCommons::IsSameSiteForeign
.The extension API implementation was the only consumer of the
Download API where triggeringPrincipal wasn't the system principal
(because loadingPrincipal is a moz-extension:-URI since bug 1579911). -
Set
channel.forceAllowThirdPartyCookie
to true, so that cookies are
always included in download requests even if the preference
network.cookie.cookieBehavior
is 1 (aka BEHAVIOR_REJECT_FOREIGN).
Updated•4 years ago
|
Assignee | ||
Comment 5•4 years ago
•
|
||
Comment on attachment 9170525 [details]
Bug 1655190 - Always include third-party cookies in downloads
Beta/Release Uplift Approval Request
- User impact if declined: Cookies may be missing from download requests triggered by extensions, and potentially result in incorrect downloads. This is a recent regression in Firefox 80 - bug 1658673 - https://bugzilla.mozilla.org/show_bug.cgi?id=1658673#c6 . This scenario is now covered by extensive unit tests.
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: bug 1621249 - This introduced new unit tests with test coverage for this feature, with a TODO that is addressed by this patch.
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): The change is in a specific part of the download implementation and has been covered by unit tests.
The effect of the change is that relevant "third-party" cookies are added to extension-initiated download requests,
and generally to all "save as" downloads triggered from the browser, even when tracking protection is configured to be very strict (e.g. blocking all third-party cookies). - String changes made/needed:
Comment 6•4 years ago
|
||
bugherder |
Comment 7•4 years ago
|
||
Comment on attachment 9170525 [details]
Bug 1655190 - Always include third-party cookies in downloads
approved for 80.0.1
Comment 8•4 years ago
|
||
bugherder uplift |
Description
•