Closed Bug 1687283 Opened 5 years ago Closed 5 years ago

Storage access permission is shown for first party

Categories

(Core :: Privacy: Anti-Tracking, defect, P2)

Product:
Core
Component:
Privacy: Anti-Tracking
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
88 Branch
Tracking Flags:
Tracking Status
firefox88 --- fixed

People

(Reporter: emz, Assigned: timhuang)

References

(Blocks 1 open bug)

Details

Attachments

(5 files)

3rdpartystorage-permission.png
32.41 KB, image/png
Details
permission-db-entries.png
22.68 KB, image/png
Details
Bug 1687283 - Part 1: Add a flag 'needForCheckingAntiTrackingHeuristic' in loadInfo. r?kershaw
48 bytes, text/x-phabricator-request
Details | Review
Bug 1687283 - Part 2: Modify the AntiTrackingRedirectHeuristic. r?dimi!,johannh
48 bytes, text/x-phabricator-request
Details | Review
Bug 1687283 - Part 3: Add a test case for testing the redirect heuristic. r?dimi!
48 bytes, text/x-phabricator-request
Details | Review

While testing on amazon.de I noticed that the 3rdPartyStorage permission is shown for amazon.de even though amazon.de is the first party. This is unexpected? I've attached a screenshot.

STR:

  1. Go to amazon.de
  2. On the cookie banner that pops up select "Cookie Einstellungen anpassen"
  3. On the next page: "Alle cookies annehmen"

Here is the permission database. This is a clean profile so these are the only two entries.

Thanks for flagging this. Per my understanding, permissions in the form 3rdPartyStorage^foo.com are only set for third-party origins, so my suspicion would be that the permission-setting code thinks amazon.de is a third-party for some reason. If this is wrong, we should probably patch the frontend to not assume that foo.com is a third-party and handle the first-party case somehow.

Severity: -- → S3
Priority: -- → P3

Ran into the same issue with drive.google.com.

Updating priority, since we've identified this bug as MVP follow-up.

Priority: P3 → P2
Assignee: nobody → tihuang
Status: NEW → ASSIGNED

The root cause of this issue is that we have an issue that we will grant the storage access regardless the forwarding domain is a tracker or not. So, we would grant access to the tracker itself if the tracker redirects to the same domain. In this case, amazon.de.

This patch adds a flag 'needForCheckingAntiTrackingHeuristic' in
loadInfo. This flag will be used for deciding if we need to check the
AntiTracking heuristic after the channel has been classified.

This patch separetes the original AntiTrackingRedirectHeuristic into two
phases. The first phase will be called when we know the redirect is
about to happen. It will check necessary informance to see if we need to
process the heuristic after the classifier flag is ready for the new
channel. The second phase will be called when the classifier flag is
ready for the new channel to really save the storage access permission
for the redirect.

Depends on D107047

This patch adds the test case for testing the ETP redirect heuristic.

Depends on D107048

Attachment #9206605 - Attachment description: Bug 1687283 - Part 2: Modfiy the AntiTrackingRedirectHeuristic. r?dimi!,johannh → Bug 1687283 - Part 2: Modify the AntiTrackingRedirectHeuristic. r?dimi!,johannh
Pushed by tihuang@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/c845dc41a3a2 Part 1: Add a flag 'needForCheckingAntiTrackingHeuristic' in loadInfo. r=kershaw,necko-reviewers https://hg.mozilla.org/integration/autoland/rev/9e678f822fc6 Part 2: Modify the AntiTrackingRedirectHeuristic. r=dimi https://hg.mozilla.org/integration/autoland/rev/442085964b6a Part 3: Add a test case for testing the redirect heuristic. r=dimi
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: