Closed Bug 1685475 Opened 3 years ago Closed 3 years ago

Data documents should belong to the same DocGroup when it's creator is in the cross-origin-isolated env

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
86 Branch
Tracking Flags:
Tracking Status
firefox86 --- fixed

People

(Reporter: tt, Assigned: tt)

References

Details

Attachments

(3 files)

Bug 1685475 - Get cross-origin-isolated state from the scope object when it's a data document and thus don't have a browsing context;
48 bytes, text/x-phabricator-request
Details | Review
Bug 1685475 - Add a browser test to verify data document stays in the same DocGroup with its creator;
48 bytes, text/x-phabricator-request
Details | Review
Possible Gecko specific testcase
1.07 KB, text/html
Details

https://searchfox.org/mozilla-central/rev/ef900cd2258d4c5d968093f612f807d96e6e7c98/dom/base/Document.cpp#7042-7044
If the document is a data document, then it isn't bound to any browsing context. Such that this would cause it to belong to a different DocGroup from its creator if its creator is in a cross-origin-isolated env.

We should probably move the cross-origin-isolated state from browsing context to Docgroup to resolve this issue.

Group: dom-core-security

I'm investigating if this could lead to a security bug with another bug. Neither of them alone should trigger security issue.

(For clarity, in the specification we track this state on the browsing context group and from there it is copied to be on the agent clusters associated with that browsing context group. Docgroup roughly corresponds to an agent within that agent cluster. Dedicated workers make up the other agents. It's different for shared/service workers but we don't implement this there yet.)

(I think there isn't a security issue because the other bug is protected by release asserts)

Attachment #9196335 - Attachment description: Bug 1685475 - WIP test; → Bug 1685475 - Add a browser test to verify data document stays in the same DocGroup with its creator;
See Also: → 1686426
Keywords: sec-audit

Discuss this with Olli, this bug is not a security bug. (It might be but proved to be not after all). I am going to remove the keyword and move it out from the group.

(In reply to Tom Tung [:tt, :ttung] from comment #8)

Discuss this with Olli, this bug is not a security bug. (It might be but proved to be not after all). I am going to remove the keyword and move it out from the group.

Actually, it seems I don't have permission to remove it from the group.

Status: NEW → ASSIGNED
Keywords: sec-audit
Group: dom-core-security
Pushed by ttung@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/bb58a378493a
Get cross-origin-isolated state from the scope object when it's a data document and thus don't have a browsing context; r=smaug
https://hg.mozilla.org/integration/autoland/rev/fef805bdd35c
Add a browser test to verify data document stays in the same DocGroup with its creator; r=smaug
Severity: -- → S3

https://hg.mozilla.org/mozilla-central/rev/bb58a378493a
https://hg.mozilla.org/mozilla-central/rev/fef805bdd35c

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox86: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 86 Branch
Regressions: 1702867
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: