HTTPS-Only: Fix issues with HTTPS-Only Mode when privacy.firstparty.isolate is enabled
Categories
(Core :: DOM: Security, defect, P3)
Tracking
()
People
(Reporter: julianwels, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: [domsecurity-backlog1])
Crash Data
There are multiple issues with HTTPS-Only Mode exceptions when privacy.firstparty.isolate
is enabled. There are already bugs filed (bug 1678252 and bug 1680934) that I'm consolidating into this one.
These bugs probably all stem from the same lines of code here.
When HTTPS-Only Mode adds a new exemption, it creates a new content principal through Services.scriptSecurityManager.createContentPrincipal
, where the firstPartyDomain
Origin Attribute is always an empty string. I tried to fix that previously by just guessing the attribute and setting it, which apparently doesn't work because FPI is more complex.
So the question is how to generate a valid firstPartyDomain attribute and set it on the new principal.
Reporter | ||
Comment 3•4 years ago
|
||
Hi Baku,
do you have a suggestion how to get a correct firstPartyDomain
attribute?
Comment 4•4 years ago
|
||
Comments from just looking at the code, maybe this helps you:
- Are you sure that this is how object destructuring works? The firstPartyDomain attribute is already present in
oldOriginAttributes
, what happens when you have duplicate items in an object? - Passing null/undefined instead of empty string might safeguard against the possibility that firstPartyDomain="" becomes part of the origin
I would say FPI isn't that complicated, so my guess is that there's a subtle bug in your code there :)
Comment 5•4 years ago
|
||
Closing because no crashes reported for 12 weeks.
I don't think this bug should've been closed - it's not a crash and there are still issues with FPI+scheme and HTTPS-only mode in current Nightly.
Reproduction steps:
- Set following prefs to
true
:
dom.security.https_only_mode
privacy.firstparty.isolate
privacy.firstparty.isolate.use_site
- Visit
http://expired.badssl.com/
(note nothttps://
- visiting the HTTPS version directly works fine for this example). - You're presented with the "Secure Connection Not Available" error page, offering to continue to HTTP site. Click this button.
- Notice you're sent straight back to the "Secure Connection Not Available" error page, with the same options. Basically, a loop.
If the privacy.firstparty.isolate.use_site
pref is false, you're instead sent to the "Warning: Potential Security Risk Ahead" error page at step 4, which will let you accept the expired cert and continue if you want to.
Reporter | ||
Updated•11 months ago
|
Description
•