Closed Bug 1678252 Opened 4 years ago Closed 4 years ago

adding scheme to FPI (use_site) breaks HOM exceptions

Categories

(Core :: Privacy: Anti-Tracking, defect, P3)

Product:
Core
Component:
Privacy: Anti-Tracking
Version:
Firefox 83
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1687969

People

(Reporter: thorin, Unassigned)

References

(Blocks 1 open bug)

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0

Steps to reproduce:

Test: http://httpforever.com/
Tools: FF83 (vanilla profile) with HOM enabled (all windows)
Note: privacy.firstparty.isolate.use_site is default false and experimental

Actual results:

Control

  • sanitize everything or at least permissions (ctrl-shift-del, all time), permissions.sqlite should be empty
  • no FPI
  • no dFPI (e.g. network.cookie.cookieBehavior = 4)
  • test > continue to site > works
  • change site permission via panel for HOM to Off
    • permissions gets type https-only-load-insecure for http://httpforever.com
  • restart FF, test
    • permission works

FPI [without scheme]

  • sanitize permissions
  • enable FPI
  • privacy.firstparty.isolate.use_site should be default false
  • test > etc
  • test > continue to site > works
  • change site permission via panel for HOM to Off
    • permissions gets type https-only-load-insecure for http://httpforever.com^firstPartyDomain=httpforever.com
  • restart FF, test
    • permission works

FPI [with scheme]

  • sanitize permissions
  • enable FPI
  • flip privacy.firstparty.isolate.use_site to true
  • test > continue to site > nothing happens, nothing added to permissions

Expected results:

FWIW

I tested dFPI with and without scheme (privacy.dynamic_firstparty.use_site) and everything works as expected. Permissions have no OA nomenclature: it's always type https-only-load-insecure for http://httpforever.com

Anne, I'll let you triage the component :)

Flags: needinfo?(annevk)

Bugbug thinks this bug should belong to this component, but please revert this change in case of error.

Component: Untriaged → Privacy: Anti-Tracking
Product: Firefox → Core
Flags: needinfo?(annevk)
Severity: -- → S3
Priority: -- → P3

The problem here is that the principal used to add the 'https-only-load-insecure' permission doesn't consider the pref 'privacy.firstparty.isolate.use_site', see here.

Since there are multiple problems with HTTPS-Only when FPI is enabled, which probably all come from the same lines of code, I created a new bug to track the issue.

Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago
Resolution: --- → DUPLICATE
See Also: → 1680934
You need to log in before you can comment on or make changes to this bug.