[gv-junit-fis] Error page triggers `about:blank` onLocationChange with Fission
Categories
(GeckoView Graveyard :: Sandboxing, defect, P1)
Tracking
(firefox117 wontfix, firefox118 fixed)
People
(Reporter: agi, Assigned: owlish)
References
(Blocks 1 open bug)
Details
(Whiteboard: [fission:android:m2] [geckoview:2022q3][geckoview:m115][geckoview:m116][geckoview:m117][fxdroid])
Attachments
(2 files, 1 obsolete file)
To reproduce this run NavigationDelegateTest#loadFileNotFound with fission enabled.
|
||
Updated•4 years ago
|
|
Reporter | |
Updated•4 years ago
|
|
||
Updated•4 years ago
|
|
||
Comment 1•4 years ago
|
||
Tracking this bug for Android Fission milestone M2 (pass tests with Fission enabled).
|
|
||
Updated•3 years ago
|
|
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
|
Reporter | |
Comment 2•2 years ago
|
||
Nika thinks this is a problem with the process switch happening, error pages don't expect to load anything different than about:neterror while we use either a resource:// or a data URI which might trigger an unexpected process switch. We will have to work with platform to make this work for Android somehow.
|
|
Reporter | |
Updated•2 years ago
|
|
||
Comment 3•2 years ago
|
||
I'm not sure this is a good approach long term, but we may be able to check if this is the cause by hacking away the process switch when loading error pages.
To do that, we'd add an extra case to IsolationOptionsForNavigation which takes into account the mLoadStateLoadType when calculating behavior, probably something like this around here.
#ifdef MOZ_WIDGET_ANDROID
// If we're loading an error page on android, it must complete within the same process as the
// errored page load would complete in due to code expecting that behavior. See bug 1673763.
if (aLoadStateLoadType == LOAD_ERROR_PAGE) {
// XXX: Validate that this URI is OK to load as an error page somehow? It will bypass site isolation.
// Log an error and return `Err(NS_ERROR_DOM_SECURITY_ERR)` or similar to abort and reject the load if it isn't valid.
// Should probably at least require it to be bundled into the browser (i.e. `resource://` URI?)?
MOZ_LOG(gProcessIsolationLog, LogLevel::Verbose,
("Forcing error page load to complete in the current process"));
behavior = IsolationBehavior::Anywhere;
}
#endif
|
|
||
Comment 4•2 years ago
|
||
Moving Android Fission bugs to the new GeckoView::Sandboxing component.
|
|
||
Updated•2 years ago
|
|
Assignee | |
Updated•2 years ago
|
|
|
Assignee | |
Updated•2 years ago
|
|
|
Assignee | |
Updated•2 years ago
|
|
|
Assignee | |
Updated•2 years ago
|
|
|
Assignee | |
Comment 5•1 years ago
•
|
||
The tests affected by this:
- NavigationDelegateTest#loadFileNotFound
- NavigationDelegateTest#loadUnknownHost
- NavigationDelegateTest#loadExternalDenied
- NavigationDelegateTest#loadUntrusted
- NavigationDelegateTest#loadDeprecatedTls
- NavigationDelegateTest#safebrowsingPhishing
- NavigationDelegateTest#safebrowsingMalware
- NavigationDelegateTest#safebrowsingUnwanted
- NavigationDelegateTest#safebrowsingHarmful
|
|
Assignee | |
Updated•1 year ago
|
|
|
Assignee | |
Updated•1 year ago
|
|
|
Assignee | |
Comment 7•1 year ago
|
||
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
|
Assignee | |
Comment 8•1 year ago
|
||
|
|
Assignee | |
Comment 9•1 year ago
•
|
||
We investigated the issue and discovered that on Fission, when we load an error page on Android, we have a process switch which leads to about:blank load instead of the error page. It's important to note that on Android, we don't have standard about: error pages like on desktop, the app is expected to provide their own custom error pages.
One solution is to just not have a process switch when we load an error page on Android. It seems simple but less secure (although secure enough, as the error page URL come from the app itself via API).
Another option is to load the error pages in parent process. We would achieve that by loading a special about: address, and then in the AboutRedirector intercept that, call the GV API to ask the app for the URI, and initialize the page with that URI (the sketch of this solution can be found in the abandoned WIP patch for this bug). Because we get the URI from GV asynchronously, we need to do the redirect also asynchronously. For that, we will need to write a custom channel. It is a lot of work 🤔 But it is a more solid and more secure solution.
For now, we decided to solve the problem in a simple way to move on to the rest of the bugs because at the moment we don't know what we will discover there. After we fixed the tests, it would be nice to revisit this and add the custom channel. I will create a separate bug for that work as a clone of this one.
|
|
Assignee | |
Updated•1 year ago
|
|
||
Comment 10•1 year ago
|
||
|
||
Comment 11•1 year ago
|
||
| bugherder | ||
|
|
Assignee | |
Comment 12•1 year ago
|
||
Reopening to enable the rest of the tests. I was so concentrated on the one that is in the STR, that I forgot about the others - there are quite a few of the tests that were blocked by this.
|
||
Updated•1 year ago
|
|
|
Assignee | |
Comment 13•1 year ago
|
||
|
|
||
Comment 14•1 year ago
|
||
|
||
Comment 15•1 year ago
|
||
| bugherder | ||
|
|
Assignee | |
Updated•1 year ago
|
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
||
Updated•6 months ago
|
Description
•