Closed Bug 1724376 Opened 6 months ago Closed 4 months ago

Add a privileged non-document requestStorageAccess API for Shims

Categories

(Core :: Privacy: Anti-Tracking, enhancement, P1)

enhancement

Tracking

()

RESOLVED FIXED
95 Branch
Tracking Status
firefox95 --- fixed

People

(Reporter: johannh, Assigned: timhuang)

References

(Blocks 3 open bugs)

Details

Attachments

(10 files, 4 obsolete files)

48 bytes, text/x-phabricator-request
Details | Review
48 bytes, text/x-phabricator-request
Details | Review
48 bytes, text/x-phabricator-request
Details | Review
48 bytes, text/x-phabricator-request
Details | Review
48 bytes, text/x-phabricator-request
Details | Review
48 bytes, text/x-phabricator-request
Details | Review
48 bytes, text/x-phabricator-request
Details | Review
48 bytes, text/x-phabricator-request
Details | Review
48 bytes, text/x-phabricator-request
Details | Review
48 bytes, text/x-phabricator-request
Details | Review

As a way of mitigating some of the breakage we've seen with dFPI without compromising on user privacy or giving websites unfair advantages, we want to write shims that call the Storage Access API on behalf of a website. To avoid some of the complexity of creating a third-party iframe and modifying the site's UI, we'd like to create a new API only accessible to privileged WebExtensions. The function signature could look something like this:

document.requestStorageAccessForOrigin(String origin) -> Promise

where origin would be the origin of the third party, which would then request access for the top-level BC of document. In the regular web-exposed rSA, document belongs to the third-party iframe. We don't want that here since this API is expected to be most frequently called outside of the correct iframe.

Note that this is just a hand-wavy suggestion from me, there might be reasons for the API to e.g. not live on the document or have another shape. It shouldn't really matter as long as we meet the requirements outlined here :)

Besides this special signature, this API should still enforce the same requirements such as user interaction and the automatic grant for up to 5 first-party origins before prompting.

Assignee: nobody → tihuang

To differentiate the privilege API calls, we need to add a new grant
reason for it.

We add a ContentBlocking::CheckTrackerForPrincipal() which checks
whether a principal belongs to a tracker.

Depends on D123800

To differentiate the privilege API calls, we need to add a new grant
reason for it.

We add a ContentBlocking::CheckTrackerForPrincipal() which checks
whether a principal belongs to a tracker.

Depends on D123804

Attachment #9238219 - Attachment is obsolete: true
Attachment #9238220 - Attachment is obsolete: true
Attachment #9238221 - Attachment is obsolete: true
Attachment #9238222 - Attachment is obsolete: true
Attachment #9238223 - Attachment description: WIP: Bug 1724376 - Part 1: Add a new storage access grant reason for the privilege API. r?dimi → Bug 1724376 - Part 1: Add a new storage access grant reason for the privilege API. r?dimi!,pbz!
Attachment #9238224 - Attachment description: WIP: Bug 1724376 - Part 2: Add a RejectForeignAllowList::Check() for principal. r?dimi → Bug 1724376 - Part 2: Add a RejectForeignAllowList::Check() for principal. r?dimi!,pbz!
Attachment #9238225 - Attachment description: WIP: Bug 1724376 - Part 3: Add ContentBlocking::CheckTrackerForPrincipal(). r?dimi → Bug 1724376 - Part 3: Add ContentBlocking::CheckTrackerForPrincipal(). r?dimi!,pbz!
Attachment #9238226 - Attachment description: WIP: Bug 1724376 - Part 4: Add a ContentBlocking::AsyncShouldAllowAccessFor(). r?dimi → Bug 1724376 - Part 4: Add a ContentBlocking::AsyncShouldAllowAccessFor(). r?dimi!,pbz!
Attachment #9238227 - Attachment description: WIP: Bug 1724376 - Part 5: Add support of calling ContentBlocking::AllowAccessFor() for the privilege request storage access API. r?dimi → Bug 1724376 - Part 5: Add support of calling ContentBlocking::AllowAccessFor() for the privilege request storage access API. r?dimi!,pbz!
Attachment #9238228 - Attachment description: WIP: Bug 1724376 - Part 6: Implement StorageAccess::AsyncStorageDisabledByAntiTracking(). r?dimi,pbz! → Bug 1724376 - Part 6: Implement StorageAccess::AsyncStorageDisabledByAntiTracking(). r?dimi,pbz!
Attachment #9238229 - Attachment description: WIP: Bug 1724376 - Part 7: Implement Document::RequestStorageAccessForOrigin() r?pbz,dimi → Bug 1724376 - Part 7: Implement Document::RequestStorageAccessForOrigin() r?pbz,dimi
Attachment #9238230 - Attachment description: WIP: Bug 1724376 - Part 8: Use the given origin of the privilege API as the third-party origin in the storage access prompt. r?pbz → Bug 1724376 - Part 8: Use the given origin of the privilege API as the third-party origin in the storage access prompt. r?pbz
Attachment #9238231 - Attachment description: WIP: Bug 1724376 - Part 9: Add a test for the privilege storage access API. r?pbz → Bug 1724376 - Part 9: Add a test for the privilege storage access API. r?pbz
Attachment #9238224 - Attachment description: Bug 1724376 - Part 2: Add a RejectForeignAllowList::Check() for principal. r?dimi!,pbz! → Bug 1724376 - Part 2: Add a RejectForeignAllowList::Check() for principal. r?dimi!,pbz!,sstreich!

This patch changes the way how we decide to expose the privilege SSA to
document interface. We will expose the interface for system principal
and the content script of the webcompat extension only.

Depends on D123811

Blocks: 1733330
Blocks: 1733331
Pushed by tihuang@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/6aad4b4f5657
Part 1: Add a new storage access grant reason for the privilege API. r=dimi,pbz
https://hg.mozilla.org/integration/autoland/rev/aa49afe2bc68
Part 2: Add a RejectForeignAllowList::Check() for principal. r=dimi,pbz,ckerschb
https://hg.mozilla.org/integration/autoland/rev/4ae2f9a20a08
Part 3: Add ContentBlocking::CheckTrackerForPrincipal(). r=dimi,pbz
https://hg.mozilla.org/integration/autoland/rev/339baf19d3c6
Part 4: Add a ContentBlocking::AsyncShouldAllowAccessFor(). r=dimi,pbz
https://hg.mozilla.org/integration/autoland/rev/4676337166a2
Part 5: Add support of calling ContentBlocking::AllowAccessFor() for the privilege request storage access API. r=dimi,pbz
https://hg.mozilla.org/integration/autoland/rev/2231210a2556
Part 6: Implement StorageAccess::AsyncStorageDisabledByAntiTracking(). r=dimi,pbz
https://hg.mozilla.org/integration/autoland/rev/a0dd38e4d95e
Part 7: Implement Document::RequestStorageAccessForOrigin() r=dimi,edgar
https://hg.mozilla.org/integration/autoland/rev/85856ecdc954
Part 8: Use the given origin of the privilege API as the third-party origin in the storage access prompt. r=pbz
https://hg.mozilla.org/integration/autoland/rev/a46e077a1ab9
Part 9: Add a test for the privilege storage access API. r=pbz
https://hg.mozilla.org/integration/autoland/rev/569bb2f56d66
Part 10: Only expose the privilege SSA to system prinicpal and content scripts of webcompt extension. r=dimi,edgar
You need to log in before you can comment on or make changes to this bug.