Data documents should belong to the same DocGroup when it's creator is in the cross-origin-isolated env
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox86 | --- | fixed |
People
(Reporter: tt, Assigned: tt)
References
Details
Attachments
(3 files)
https://searchfox.org/mozilla-central/rev/ef900cd2258d4c5d968093f612f807d96e6e7c98/dom/base/Document.cpp#7042-7044
If the document is a data document, then it isn't bound to any browsing context. Such that this would cause it to belong to a different DocGroup from its creator if its creator is in a cross-origin-isolated env.
We should probably move the cross-origin-isolated state from browsing context to Docgroup to resolve this issue.
Updated•3 years ago
|
Comment 1•3 years ago
|
||
I'm investigating if this could lead to a security bug with another bug. Neither of them alone should trigger security issue.
Comment 2•3 years ago
|
||
(For clarity, in the specification we track this state on the browsing context group and from there it is copied to be on the agent clusters associated with that browsing context group. Docgroup roughly corresponds to an agent within that agent cluster. Dedicated workers make up the other agents. It's different for shared/service workers but we don't implement this there yet.)
Comment 3•3 years ago
|
||
(I think there isn't a security issue because the other bug is protected by release asserts)
Assignee | ||
Comment 4•3 years ago
|
||
Assignee | ||
Comment 5•3 years ago
|
||
Comment 6•3 years ago
|
||
Updated•3 years ago
|
Assignee | ||
Comment 7•3 years ago
|
||
Assignee | ||
Comment 8•3 years ago
|
||
Discuss this with Olli, this bug is not a security bug. (It might be but proved to be not after all). I am going to remove the keyword and move it out from the group.
Assignee | ||
Comment 9•3 years ago
|
||
(In reply to Tom Tung [:tt, :ttung] from comment #8)
Discuss this with Olli, this bug is not a security bug. (It might be but proved to be not after all). I am going to remove the keyword and move it out from the group.
Actually, it seems I don't have permission to remove it from the group.
Updated•3 years ago
|
Comment 10•3 years ago
|
||
Pushed by ttung@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/bb58a378493a Get cross-origin-isolated state from the scope object when it's a data document and thus don't have a browsing context; r=smaug https://hg.mozilla.org/integration/autoland/rev/fef805bdd35c Add a browser test to verify data document stays in the same DocGroup with its creator; r=smaug
Updated•3 years ago
|
Comment 11•3 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/bb58a378493a
https://hg.mozilla.org/mozilla-central/rev/fef805bdd35c
Description
•