1721131 - Storage inspector does not show isolated Parent Process resources (cookie/indexeddb) when dfpi is active

Status: VERIFIED FIXED

(DevTools :: Storage Inspector, defect)

Description

[Julian Descottes [:jdescottes]]

Dynamic First Party Isolation (Bug 1549587) isolates third-party storage by double keying the storage using the First-Party origin attribute. When dfpi is active, the Storage Panel does not show isolated cookies with the exception of the first time they are set.

STR:

1. In a fresh profile set network.cookie.cookieBehavior = 5
2. Visit https://senglehardt.com/test/dfpi/first_and_third.html. You'll see cookies, localstorage, session storage, and indexed db data written for three iframes from separate origins.
3. Open the Storage Panel and note that all storage locations show the expected results.
4. Refresh the page. No new storage is set. Instead, storage is read from all locations.
5. Open the Storage Panel and switch between the origins listed under "Cookies". Note that englehardt-tracker.com is empty

ER:

• The storage panel displays the active storage area for all storage locations

AR:

• No cookies for the isolated origin (englehardt-tracker.com) when storage is only read during the page visit. This does not reproduce when the storage location is not isolated.

This was first fixed in Bug 1628936, but was regressed by Bug 1700904.
A test should be added this time to avoid future regressions.

Comment 1

[Julian Descottes [:jdescottes]]

This will be triaged during our next meeting, I am not restoring the need info because it would hide it from Bug 1628936 because it would hide from our triage query and also :ladybenko is off for now.

Comment 2

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1700904

Comment 4

[Rob Wu [:robwu]]

The cookies are fetched with getCookiesFromHost, at https://searchfox.org/mozilla-central/rev/699174544b058f13f02e7586b3c8fdbf438f084b/devtools/server/actors/storage.js#655-656,669-683.

getCookiesFromHost looks up the cookies whose OriginAttributes are an exact match for the given OriginAttributes, by host only, via storageActor.getWindowFromHost. When I step through with a debugger I can see that the execution goes through https://searchfox.org/mozilla-central/rev/699174544b058f13f02e7586b3c8fdbf438f084b/devtools/server/actors/resources/utils/parent-process-storage.js#342,344

with partitionKey: "" while it should have been non-empty for child frames.

Comment 5

[Paul Zühlcke [:pbz]]

Attachment: Bug 1721131 - [devtools] Use WindowGlobalParent documentStoragePrincipal for storage access. r=nchevobbe!

We need to use documentStoragePrincipal rather than the regular document principal, because it
contains the partitionKey which is used to isolate storage of third-party resources.

Comment 6

[Paul Zühlcke [:pbz]]

Sorry, I've just realized :ladybenko was working on this in Bug 1710451.
It seems to be a simple fix now that we have access to the storage principal via WindowGlobalParent. I'm working on a test.

Comment 7

[Pulsebot]

Pushed by pzuhlcke@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/c632cd1094b8
[devtools] Use WindowGlobalParent documentStoragePrincipal for storage access. r=nchevobbe

Comment 8

[Chris Peterson [:cpeterson]]

This bug is a soft blocker for Fission MVP. We'd like to fix it before our Release channel rollout, but we won't delay the rollout waiting for it.

Comment 9

[Sandor Molnar[:smolnar]]

https://hg.mozilla.org/mozilla-central/rev/c632cd1094b8

Comment 10

[Oana Botisan, Desktop QA]

Managed to reproduce the issue on macOS 10.15 using Nightly 2021-07-19.
Retested everything on Firefox 92.0b2 and Nightly 93.0a1 using the same os. The issue is not reproducing anymore.