Closed Bug 1718850 Opened 3 years ago Closed 2 years ago

sessionStorage is cleared when cross-origin-opener-policy (COOP) is enabled

Categories

(Core :: DOM: Security, defect, P3)

Product:
Core
Component:
DOM: Security
Version:
Firefox 89
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1712961

People

(Reporter: lauredo+github, Assigned: farre)

References

Details

(Keywords: regression, regressionwindow-wanted, Whiteboard: [domsecurity-active])

Attachments

(1 file, 1 obsolete file)

Bug 1718850 - Part 2: Always propate BackgroundSessionStorageManager in the parent. r=nika!
48 bytes, text/x-phabricator-request
Details | Review

User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36

Steps to reproduce:

  1. Open a Web site with COOP set to same-origin e.g.

Cross-Origin-Opener-Policy: same-origin

  1. Set a key in sessionStorage e.g.

sessionStorage.setItem('key, 'value')

  1. Navigate to another Web site due to a server-side redirection (HTTP 302/303).

Note that the same can be observed using manual redirection by typing in the address bar but this one could be justified by the discussion in https://github.com/whatwg/html/issues/6356.

  1. Press the back button to return to the first Web site with COOP

Check sessionStorage, it is now empty instead of containing the example 'key'.

This does not happen in Chrome or in previous versions of Firefox.

The issue is related to https://github.com/whatwg/html/issues/6356 but pertains to HTTP redirections e.g. needed for authentications using a Single Sign On provider (e.g. OpenID Connect, OAuth2, SAML, etc.).

So it is not a "manual" navigation, as mentioned in the github issue, but a server-side redirection to the SSO provider, back and forth to the initial site.

Losing sessionStorage content defeats the purpose of such SSO protocols.

Actual results:

With COOP set to same-origin, the sessionStorage is cleared after server-side redirection to another origin and then coming back to the original origin in the same tab.

Expected results:

The sessionStorage should be kept to the content initialized in the same tab before the server-side redirection.

Remark for point 4): the failing case with the SSO provider is actually another server-side redirection (HTTP 302/303) to the initial Web site.

Pressing the back button is also a case of "manual" navigation which could be justified by the https://github.com/whatwg/html/issues/6356 issue.

The Bugbug bot thinks this bug should belong to the 'Core::DOM: Security' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.

Component: Untriaged → DOM: Security
Product: Firefox → Core

Further investigations with the SSO provider have shown that redirections to the SSO web site include

  • javascript location.href=xxx and
  • HTML meta http-equiv="Refresh"
    calls as well as HTTP 302/303 during the SSO authentication flow.

Testing the whole flow when only HTTP 303 redirections are at play, Firefox 89 does not clear the sessionStorage and keys can be retrieved, as expected.

So, it seems the behaviour is induced either by the location.href call or by the meta refresh presence.

Test results on Firefox 89:

  • If redirections happen with HTTP 302/303, the sessionStorage is not cleared when coming back to the initial application.

  • If the redirection is performed client-side using:
    -- location.href = xxx;
    -- location.replace(xxx);
    -- location.reload();
    -- <meta http-equiv="Refresh" content="0; url=xxx>
    then the sessionStorage is cleared.

  • If redirections is triggered from a server-side "Refresh" HTTP response header, the sessionStorage is cleared as well.

  • If the end-user manually clicks on a link to the initial application (generated in the redirection page), the sessionStorage is cleared too.

This issue is related to https://bugzilla.mozilla.org/show_bug.cgi?id=1656768 which is supposed to be fixed.

Anne: is a manual-redirect (js or meta refresh) supposed to be different from a 30x for COOP?

Flags: needinfo?(annevk)
See Also: → 1656768

Not really. Hopefully Nika or Olli (when back) can take a look.

Flags: needinfo?(nika)
Flags: needinfo?(bugs)
Flags: needinfo?(annevk)

I haven't spent enough time looking into this to be sure, but I'm thinking that this might be related to bug 1700623, as it landed in the 90 timeframe and touched Session Storage. I'll try to put together a local STR and get a mozregression soon. Leaving my ni? up until then.

Flags: needinfo?(bugs)
Keywords: regression, regressionwindow-wanted
QA Whiteboard: [qa-regression-triage]

ni? :farre due to the suspected regressor of bug 1700623

Flags: needinfo?(nika)
Flags: needinfo?(afarre)

This being due to bug 1700623 sounds entirely plausible. I'll look into it.

Assignee: nobody → afarre
Flags: needinfo?(afarre)
Severity: -- → S2
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Priority: -- → P3
Whiteboard: [domsecurity-active]

I'm not sure that I understand the STR's here. I wrote up a mochitest to capture them, and indeed, if you vary the way that you return to the page that you were at before redirection, session storage preservation differs. But not due to bug 1700623 in any way I could create. So I'm apparently missing something.

I added the patch with the test, but I thought I'd reach out and ask for help. :annevk, :nika, do you see what I do wrong here?

Flags: needinfo?(nika)
Flags: needinfo?(annevk)

Actually think that I found it. We have a bug that's not introduced by bug 1700623. When we propagate the manager we make it depend on mozilla::SessionHistoryInParent(), but we should always use Session Storage in the parent.

Flags: needinfo?(nika)
Flags: needinfo?(annevk)
Attachment #9237164 - Attachment description: WIP: Bug 1718850 - Part 1: Test that session storage is preserved over redirects. → Bug 1718850 - Part 1: Test that session storage is preserved over redirects. r=nika!
See Also: → 1712961

:farre are you planning on making any changes to the attached patch?

Flags: needinfo?(afarre)

Andreas is finishing his big patches around session store in https://bugzilla.mozilla.org/show_bug.cgi?id=1739450
After that work, he will be able to revisit this issue.

This doesn't reproduce any longer. I'll spend some time to verify, but I'll close as invalid after that.

Flags: needinfo?(afarre)

This doesn't reproduce for me, and in any case bug 1712961 is the same issue. Closing this and keeping the intermittent (which I'll probably also close soon since that doesn't seem to reproduce any more as well).

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → DUPLICATE
Attachment #9237164 - Attachment is obsolete: true
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: