Closed Bug 1687969 Opened 4 years ago Closed 4 years ago

HTTPS-Only: Fix issues with HTTPS-Only Mode when privacy.firstparty.isolate is enabled

Categories

(Core :: DOM: Security, defect, P3)

Product:
Core
Component:
DOM: Security
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: julianwels, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-backlog1])

Crash Data

There are multiple issues with HTTPS-Only Mode exceptions when privacy.firstparty.isolate is enabled. There are already bugs filed (bug 1678252 and bug 1680934) that I'm consolidating into this one.

These bugs probably all stem from the same lines of code here.

When HTTPS-Only Mode adds a new exemption, it creates a new content principal through Services.scriptSecurityManager.createContentPrincipal, where the firstPartyDomain Origin Attribute is always an empty string. I tried to fix that previously by just guessing the attribute and setting it, which apparently doesn't work because FPI is more complex.

So the question is how to generate a valid firstPartyDomain attribute and set it on the new principal.

Hi Baku,
do you have a suggestion how to get a correct firstPartyDomain attribute?

Flags: needinfo?(amarchesini)

Comments from just looking at the code, maybe this helps you:

  • Are you sure that this is how object destructuring works? The firstPartyDomain attribute is already present in oldOriginAttributes, what happens when you have duplicate items in an object?
  • Passing null/undefined instead of empty string might safeguard against the possibility that firstPartyDomain="" becomes part of the origin

I would say FPI isn't that complicated, so my guess is that there's a subtle bug in your code there :)

Closing because no crashes reported for 12 weeks.

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → WORKSFORME

I don't think this bug should've been closed - it's not a crash and there are still issues with FPI+scheme and HTTPS-only mode in current Nightly.

Reproduction steps:

  1. Set following prefs to true:
dom.security.https_only_mode
privacy.firstparty.isolate
privacy.firstparty.isolate.use_site
  1. Visit http://expired.badssl.com/ (note not https:// - visiting the HTTPS version directly works fine for this example).
  2. You're presented with the "Secure Connection Not Available" error page, offering to continue to HTTP site. Click this button.
  3. Notice you're sent straight back to the "Secure Connection Not Available" error page, with the same options. Basically, a loop.

If the privacy.firstparty.isolate.use_site pref is false, you're instead sent to the "Warning: Potential Security Risk Ahead" error page at step 4, which will let you accept the expired cert and continue if you want to.

Flags: needinfo?(amarchesini)
You need to log in before you can comment on or make changes to this bug.