Closed Bug 1680846 Opened 3 years ago Closed 2 years ago

Without prior 1p user interaction, requestStorageAccess should always result in a permission prompt

Categories

(Core :: Privacy: Anti-Tracking, enhancement, P2)

enhancement

Tracking

()

RESOLVED FIXED
97 Branch
Tracking Status
firefox97 --- fixed

People

(Reporter: johannh, Assigned: bvandersloot)

References

(Blocks 1 open bug)

Details

Attachments

(2 files, 1 obsolete file)

We should not automatically grant storage access to cross-origin iframes without first party user interaction. However, automatically denying seems too extreme given that the website is forced to show users a weird interstitial then. A compromise would be to always prompt in this case. Note that combined with bug 1680844 this would mean that the 3rd party can then obtain first party user interaction when the user confirms the permission prompt.

Assignee: nobody → bvandersloot
Status: NEW → ASSIGNED
Depends on: 1734026, 1680844

Adding dependencies that prevent breakage.

Attachment #9243944 - Attachment description: Bug 1680846 - WIP - requestStorageAccess should always result in a permission prompt for 3p requests and no prior 1p interaction r?timhuang → Bug 1680846 - Part 1 - requestStorageAccess should always result in a permission prompt for 3p requests and no prior 1p interaction r?timhuang

This also includes the removal of the test file browser_storageAccessAutograntedGivesUserInteraction.js.
That test pre-supposes that it is possible to autogrant without the storageAccessAPI permission, which is no longer possible.

Depends on D127276

A few tests relied upon autogrants without storageAccessAPI permission.
I modified these tests to click the Accept button in the prompt that now appears, automating a manual grant.

Depends on D132597

Attachment #9253259 - Attachment is obsolete: true
Pushed by bvandersloot@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/d916d9ac25e9
Part 1 - requestStorageAccess should always result in a permission prompt for 3p requests and no prior 1p interaction r=timhuang
https://hg.mozilla.org/integration/autoland/rev/625308c5c0a5
Part 2 - Add new tests that verifies that autogrants of SAA require the storageAccessAPI permission, r=timhuang
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 97 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: