Only allow Marionette to switch to "chrome" context if system access flag is enabled
Categories
(Remote Protocol :: Marionette, enhancement, P2)
Tracking
(firefox138 fixed)
| Tracking | Status | |
|---|---|---|
| firefox138 | --- | fixed |
People
(Reporter: whimboo, Assigned: whimboo)
References
(Blocks 2 open bugs)
Details
(Whiteboard: [webdriver:m15][webdriver:relnote])
Attachments
(9 files, 1 obsolete file)
|
366.75 KB,
image/png
|
Details | |
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
48 bytes,
text/x-phabricator-request
|
Details | Review |
Screenshot 2025-03-13 at 07.46.08.png
Follow-up from bug 1359472, which lands the first part of the required patches to not allow chrome context by default.
In general WebDriver implementations involve giving clients some privileged access to the browser. Therefore when enabling it it is assumed that users are happy with the security implications. However giving chrome access does provide additional capabilities compared to other drivers (more system access other than reading files, access to change the firefox UI, etc.).
It therefore might make sense to make this a separate opt-in feature. It can be done via an environment variable like MOZ_MARIONETTE_CHROME_CONTEXT, or a command line argument like --marionette-enable-chrome.
|
||
Updated•3 years ago
|
|
|
||
Updated•2 years ago
|
|
Assignee | |
Updated•11 months ago
|
|
|
Assignee | |
Updated•4 months ago
|
|
|
Assignee | |
Comment 1•4 months ago
|
||
With bug 1944565 implemented Marionette can rely on the internal Remote Agent status flag if access to the parent process is allowed or not. Based on its value we can adjust the Marionette:SetContext command to allow allow or deny the request for switching to chrome scope.
|
|
Assignee | |
Updated•4 months ago
|
|
|
Assignee | |
Comment 2•3 months ago
|
||
We actually decided to include this bug into the next milestone to improve security when using the chrome scope testing capabilities with Marionette.
I'll have a patch ready soon which we will land early in the 138 Nightly cycle starting by next Monday.
For using chrome scope testing the --remote-allow-system-access argument needs to be specified for Firefox. For the Marionette client, mochitest and the wptrunner we are going to automatically enable it. But users of geckodriver will have to specify it manually. They can use the --allow-system-access argument of geckodriver, or specify it via their NewSession capabilities as argument for Firefox if only some tests would need this special privilege.
|
||
Comment 3•3 months ago
•
|
||
:whimboo, just to be clear, will we need to specify --remote-allow-system-access and --allow-system-access or is it just one of them that needs to be specified?
|
|
Assignee | |
Comment 4•3 months ago
|
||
(In reply to Greg Mierzwinski [:sparky] from comment #3)
:whimboo, just to be clear, will we need to specify
--remote-allow-system-accessand--allow-system-accessor is it just one of them that needs to be specified?
If you are using geckodriver you can use its own --allow-system-access argument. It will internally forward this argument to Firefox. It will be set as long as geckodriver is running. If you need finer control you might want to pass it via the moz:firefoxOptions[args] capability.
Peter, do you think that you might have a chance to get it added to Browsertime soon? If it might take a while we could start landing the upcoming patches pref'ed off by default. That would allow testing before we enforce the pref to be enabled (and remove it eventually).
|
|
Assignee | |
Comment 5•2 months ago
|
||
To prevent current WebDriver clients from getting broken because they do not yet pass in this argument to Firefox I'm going to add the Firefox preference remote.system-access-check.enabled which defaults to true but allows to get flipped to temporarily ignore the check. I'm most likely going to remove the preference in +2 versions of Firefox (after the next ESR).
|
||
Comment 6•2 months ago
|
||
Hi Henrik, sorry I missed this. Let me add --allow-system-access this weekend.
|
|
||
Comment 7•2 months ago
|
||
Connection failed to localhost when flag is enabled.
|
|
||
Comment 8•2 months ago
|
||
I updated to Geckodriver 0.36.0 and added the flag, but when the flag is used Firefox always opens with a "Connection failed to localhost". I'm attaching a screenshot (it's in Swedish though) and then continuous on with navigating to the page. Is that how it should work?
|
|
Assignee | |
Comment 9•2 months ago
|
||
(In reply to Peter Hedenskog from comment #8)
I updated to Geckodriver 0.36.0 and added the flag, but when the flag is used Firefox always opens with a "Connection failed to localhost". I'm attaching a screenshot (it's in Swedish though) and then continuous on with navigating to the page. Is that how it should work?
Do you have a trace log that you can share? The option shouldn't have such a side-effect.
|
|
Assignee | |
Comment 10•2 months ago
|
||
I've sent a try build with the latest changes and there seem to be failures for the telemetry-client tests. I tried to run the tests locally but they fail as well with and without my patches applied.
Chutten, is there maybe a problem with running those tests on try and locally?
|
|
Assignee | |
Comment 11•2 months ago
|
||
(In reply to Henrik Skupin [:whimboo][⌚️UTC+2] from comment #10)
I've sent a try build with the latest changes and there seem to be failures for the telemetry-client tests. I tried to run the tests locally but they fail as well with and without my patches applied.
Chutten, is there maybe a problem with running those tests on try and locally?
Chutten seems to be away. Jan-Erik can you maybe help me out with this telemetry client failure? Thanks.
|
|
Assignee | |
Comment 12•2 months ago
|
||
|
|
Assignee | |
Comment 13•2 months ago
|
||
When using the "capabilities" marker there is actually no
need to parameterize the test. It will only add a "capabilities0-"
prefix to the test names, which doesn't give any additional
information.
Further it should be possible for other folders to
customize the default set of capabilities. As such
a new "default_capabilities" fixture has been added
and the existing "capabilities" fixture will now
retrieve the current default capabilities and merge
them when necessary with any capabilities markers.
|
|
Assignee | |
Comment 14•2 months ago
|
||
|
|
Assignee | |
Comment 15•2 months ago
|
||
|
|
Assignee | |
Comment 16•2 months ago
|
||
|
|
Assignee | |
Comment 17•2 months ago
|
||
|
|
Assignee | |
Comment 18•2 months ago
|
||
|
|
Assignee | |
Comment 19•2 months ago
|
||
|
|
||
Comment 20•2 months ago
|
||
Ok I added it here:
https://gist.github.com/soulgalore/87333fbe02d870f13d2b2982e006ed56
I added most verbose in Browsertime, hope that is enough.
|
|
Assignee | |
Comment 21•2 months ago
|
||
(In reply to Peter Hedenskog from comment #20)
Ok I added it here:
https://gist.github.com/soulgalore/87333fbe02d870f13d2b2982e006ed56I added most verbose in Browsertime, hope that is enough.
Thanks. That looks good. If you want to test it locally you can download a build for your platform from this try job.
|
||
Comment 22•2 months ago
|
||
(In reply to Henrik Skupin [:whimboo][⌚️UTC+2] from comment #11)
(In reply to Henrik Skupin [:whimboo][⌚️UTC+2] from comment #10)
I've sent a try build with the latest changes and there seem to be failures for the telemetry-client tests. I tried to run the tests locally but they fail as well with and without my patches applied.
Chutten, is there maybe a problem with running those tests on try and locally?
Chutten seems to be away. Jan-Erik can you maybe help me out with this telemetry client failure? Thanks.
I cannot reproduce a test failure on these locally on current m-c.
chutten is back on Monday, either he or I will take another look then. Keeping the ni? as a reminder.
|
||
Comment 23•2 months ago
|
||
Do these patches change any telemetry behavior? If yes, try running tests without artifact builds to see if it makes a difference. ./mach try accepts the --no-artifact flag for that.
|
|
Assignee | |
Comment 24•2 months ago
|
||
(In reply to Rob Wu [:robwu] from comment #23)
Do these patches change any telemetry behavior? If yes, try running tests without artifact builds to see if it makes a difference.
./mach tryaccepts the--no-artifactflag for that.
No, it doesn't change anything telemetry related. It's only that we require an additional argument to be set for Firefox to allow execution of JavaScript in the parent process via Marionette. The Marionette client, which the telemetry harness uses as well, does it automatically. I'll try building a full build locally and check if that may work - and indeed might be related to an artifact build (we had some differences in the past).
|
|
Assignee | |
Comment 25•2 months ago
|
||
Jan-Erik, the hint from Rob is actually correct! Those hangs in the Telemetry client tests seem to only happen for artifact builds. I now tried to run all the tests with a full build and there is no timeout at all. So I think that I can ignore these failures given that they aren't related to my changes.
|
|
||
Comment 26•2 months ago
|
||
(In reply to Henrik Skupin [:whimboo][⌚️UTC+2] from comment #25)
Jan-Erik, the hint from Rob is actually correct! Those hangs in the Telemetry client tests seem to only happen for artifact builds. I now tried to run all the tests with a full build and there is no timeout at all. So I think that I can ignore these failures given that they aren't related to my changes.
Thanks! We had artifact build issues in the past, but I hoped I had fixed this. I file a bug on our side to take a look separate from this patch set.
|
||
Updated•2 months ago
|
|
||
Comment 28•2 months ago
|
||
|
||
Comment 29•2 months ago
•
|
||
Backed out for causing wpt & lint failures.
Backout link: https://hg.mozilla.org/integration/autoland/rev/3e7d2dc07f55d2df2e18cc6cf6c0ac032c9ddfa6
|
|
Assignee | |
Comment 30•2 months ago
|
||
There were the following issues with the changes:
- Running the verify job for the new
/_mozilla/webdriver/harness/system_access.pytest fails because we do not clear the preference when testing the opt-out of the allow system access check. So it leaks into the default behavior test causing it to fail. - wpt tests on Android were failing because I missed to update the wpt runner code for Android so that the
--remote-allow-system-accessargument was not passed to Firefox.
I'll update the patches and reland the patch set.
|
|
||
Comment 31•2 months ago
|
||
|
|
Assignee | |
Comment 32•2 months ago
|
||
|
|
||
Comment 33•2 months ago
|
||
|
||
Comment 34•2 months ago
•
|
||
Backed out together with Bug 1944565 for causing multiple failures
Push with failures - bc
Push with failures - wd
Push with failures - lint
|
|
||
Updated•2 months ago
|
|
|
Assignee | |
Comment 35•2 months ago
|
||
(In reply to Norisz Fay [:noriszfay] from comment #34)
These browser chrome test failures are caused by D241412, which basically only adds the --remote-allow-system-access command line argument when starting Firefox. It's not clear to me how this changes the way in writing to and reading from the Window Registry. This is the failing test:
Alex, given that you wrote this test do you have an idea why this single line change could have caused this test to fail?
|
|
Assignee | |
Comment 36•2 months ago
|
||
So I've filed bug 1955535 to get this specific case handled separately.
As a workaround we can directly set the environment variable MOZ_REMOTE_ALLOW_SYSTEM_ACCESS in the mochitest runner code instead of the command line argument. Locally this will make the test pass for me. I'll update the relevant revision.
|
|
||
Updated•2 months ago
|
|
|
||
Comment 37•2 months ago
|
||
|
||
Comment 38•2 months ago
|
||
Backed out for causing failures @test_no_errors_clean_profile.py.
|
|
Assignee | |
Comment 39•2 months ago
|
||
It's the patch on bug 1944565 which needs the update.
|
|
||
Comment 40•2 months ago
|
||
|
||
Comment 41•2 months ago
|
||
https://hg.mozilla.org/mozilla-central/rev/713732e682e8d3d1f9c69869cf5ba6c3424636f3
https://hg.mozilla.org/mozilla-central/rev/ea986d7c5fd0c05a3907c2754acd0aa236cf625b
https://hg.mozilla.org/mozilla-central/rev/69229209fa01ee918d7e33216fca31df96741610
https://hg.mozilla.org/mozilla-central/rev/2f95a4cdb113fa9fca1a748088460ea783bfa845
https://hg.mozilla.org/mozilla-central/rev/c765284053d2d43d86f0cb197d0e55a1ca41bcb6
https://hg.mozilla.org/mozilla-central/rev/2e01172bc3f70a21343b97f2a33886c42842fb52
https://hg.mozilla.org/mozilla-central/rev/82eb986c67124bd3cef054d6f1933075cda9491b
https://hg.mozilla.org/mozilla-central/rev/3bbbf850fc7b3b5c5da1f00102681508d78c60c1
|
||
Updated•23 days ago
|
|
|
||
Comment 42•23 days ago
•
|
||
Hi Daniel, would it be OK to make this bug and the dependency Bug 1944565 non confidential?
We'd like to mention them in our release notes.
|
||
Comment 43•21 days ago
|
||
Looks fine to me, and for the other dependency bug 1359472 too.
Description
•