The Storage Access API should automatically reject access for cookie policies that don't allow cross-site storage access
Categories
(Core :: Privacy: Anti-Tracking, defect, P2)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox95 | --- | fixed |
People
(Reporter: englehardt, Assigned: bvandersloot)
References
(Blocks 1 open bug)
Details
Attachments
(1 file, 1 obsolete file)
requestStorageAccess() should automatically reject when it's not possible for the embedded content to receive storage access (either due to the browser's cookie policy or the user's cookie permissions). This isn't currently the case, which means it's possible for an embedded frame to see that it can't access storage, call requestStorageAccess and have access "granted", check hasStorageAccess and see that it returns true, but not actually have storage access.
This happens under the following policies:
- cookieBehavior 1: Block all third-party cookies when
network.cookie.rejectForeignWithExceptions.enabledis set to false (currently the default outside of Nightly) - cookieBehavior 2: Block all cookies
- cookieBehavior 3: Cookie from unvisited websites
You can use this test page: https://senglehardt.com/test/dfpi/storage_access_api.html.
|
Reporter | |
Comment 1•4 years ago
|
||
Another condition in which the storage access API should automatically reject is when the origin requesting access is one that has been denied storage access via the about:preferences#privacy "Cookie Exceptions" UI.
|
||
Updated•4 years ago
|
|
||
Updated•4 years ago
|
|
||
Updated•3 years ago
|
|
Assignee | |
Comment 2•3 years ago
|
||
Add a test to validate behavior on non-tracking first-party requests
Add tests to ensure we don't say we are granting storage access to third parties with cookiePolicies that forbid it
Add check near the top of Document::HasStorageAccess to immediately return false when cookiePolicy is REJECT.
Add check near the top of Document::RequestStorageAccess to reject when cookiePolicy is REJECT.
Add check in Document::RequestStorageAccess to reject when the cookie policy forbids third party cookies
Note, BEHAVIOR_LIMIT_FOREIGN is treated like BEHAVIOR_REJECT_FOREIGN, just like in ContentBlocking::ShouldAllowAccessFor
Add comparable checks to the priveleged version of RequestStorageAccess
This also resolves Bug 1661152
|
||
Updated•3 years ago
|
|
|
Assignee | |
Comment 3•3 years ago
|
||
Add a test to validate behavior on non-tracking first-party requests
Add tests to ensure we don't say we are granting storage access to third parties with cookiePolicies that forbid it
Add check near the top of Document::HasStorageAccess to immediately return false when cookiePolicy is REJECT.
Add check near the top of Document::RequestStorageAccess to reject when cookiePolicy is REJECT.
Add check in Document::RequestStorageAccess to reject when the cookie policy forbids third party cookies
Note, BEHAVIOR_LIMIT_FOREIGN is treated like BEHAVIOR_REJECT_FOREIGN, just like in ContentBlocking::ShouldAllowAccessFor
Add comparable checks to the priveleged version of RequestStorageAccess
This also resolves Bug 1661152
|
|
||
Updated•3 years ago
|
Pushed by bvandersloot@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/57d260450dce The Storage Access API should automatically reject access for cookie policies that don't allow cross-site storage access r=anti-tracking-reviewers,timhuang
|
||
Comment 5•3 years ago
•
|
||
Backed out changeset 57d260450dce (Bug 1661151) for causing wpt failures in hasStorageAccess().
Backout link: https://hg.mozilla.org/integration/autoland/rev/9fa3431e1e5ded47cc269bf1427a96c940f1ddc0
Push with failures, failure log.
(Update): Also caused:
- mochitest plain failures
- browser-chrome failures
- another browser chrome failure
- devtools failures
Pushed by bvandersloot@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/717eaf5939f3 The Storage Access API should automatically reject access for cookie policies that don't allow cross-site storage access r=anti-tracking-reviewers,timhuang
|
|
Assignee | |
Updated•3 years ago
|
|
||
Comment 7•3 years ago
|
||
| bugherder | ||
|
||
Updated•3 years ago
|
Description
•