Closed Bug 1742815 Opened 2 years ago Closed 2 years ago

[wpt-sync] Sync PR 31731 - [Fixit] Make sandbox + COOP break the opener.

Categories

(Core :: DOM: Core & HTML, task, P4)

task

Tracking

()

RESOLVED FIXED
96 Branch
Tracking Status
firefox96 --- fixed

People

(Reporter: mozilla.org, Unassigned)

References

()

Details

(Whiteboard: [wptsync downstream])

Sync web-platform-tests PR 31731 into mozilla-central (this bug is closed when the sync is complete).

PR: https://github.com/web-platform-tests/wpt/pull/31731
Details from upstream follow.

Arthur Hemery <ahemery@chromium.org> wrote:

[Fixit] Make sandbox + COOP break the opener.

Sandbox flags and COOP cannot currently live on the same page. This was
decided when first implementing COOP. If COOP and sandboxing flags are
present on the same top level window, we return an error page instead,
and COOP has no effect.

Exploits have been discovered recently about abusing an opened window
and history to be able to guess the cross-origin url using the history
API. See:
https://bugs.chromium.org/p/chromium/issues/detail?id=1208614

Error pages were left out from the fix, because it would be inelegant
to insert error pages into history after a successful reload. That means
error pages can potentially be used to guess a cross-origin URL.

If in general this is acceptable, in our case its worse for two reasons:

  • COOP is used to protect pages that are usually more valuable or hold
    important data.
  • It is possible to reach an error page after response without relying
    on timing, etc.

Therefore we'd like to sever the opener when we fail after receiving a
response, if the target page did set COOP. Basically we'd like to change
the spec to enforce COOP even when we fail because of COOP+sandbox.

Spec discussion can be found here:
https://github.com/whatwg/html/issues/7345

On the implementation side, this patch adds the WPTs necessary to the
spec change, and the modified behavior. We set the COOP value before
the Sandbox + COOP failure to have access to it in the policy container.
We update the policy container inheritance for error pages, to take into
account COOP if it was set. That breaks the invariant of having all
error pages use "unsafe-none".

We only want error pages to sever their opener (and do things implied by
COOP), we never want them to end up in cross-origin isolated contexts.
We add an exception to the centralized computation of
WebExposedIsolationInfo to exclude error pages. They are never
considered cross-origin isolated.

This does not alter the reload behavior, as this only happens for cases
where reloads would not be successful anyway.

Bug: 1256823
Change-Id: Ic79623a2b752608bc46a031d1f567308441d42e0

Reviewed-on: https://chromium-review.googlesource.com/3293412
WPT-Export-Revision: 11357d6ccb739dbd4cd3ac107c2db9f523885844

Component: web-platform-tests → DOM: Core & HTML
Product: Testing → Core
Whiteboard: [wptsync downstream] → [wptsync downstream error]
Whiteboard: [wptsync downstream error] → [wptsync downstream]

CI Results

Ran 11 Firefox configurations based on mozilla-central, and Firefox, Chrome, and Safari on GitHub CI

Total 1 tests and 2 subtests

Status Summary

Firefox

OK : 1
FAIL : 2

Chrome

OK : 1
FAIL : 2

Safari

TIMEOUT: 3

Links

Gecko CI (Treeherder)
GitHub PR Head
GitHub PR Base

Details

New Tests That Don't Pass

/html/cross-origin-opener-policy/coop-sandbox-cuts-opener.https.html
<iframe sandbox="allow-popups allow-scripts allow-same-origin"> Sandboxed Cross-Origin-Opener-Policy popup should cut the opener if necessary: FAIL (Chrome: FAIL, Safari: TIMEOUT)
<iframe sandbox="allow-popups allow-scripts"> Sandboxed Cross-Origin-Opener-Policy popup should cut the opener if necessary: FAIL (Chrome: FAIL, Safari: TIMEOUT)

Pushed by wptsync@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/c76d22e7f14d
[wpt PR 31731] - [Fixit] Make sandbox + COOP break the opener., a=testonly
https://hg.mozilla.org/integration/autoland/rev/4b775b074d17
[wpt PR 31731] - Update wpt metadata, a=testonly
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 96 Branch
You need to log in before you can comment on or make changes to this bug.