Closed Bug 1876504 Opened 5 months ago Closed 2 months ago

With storage access granted, nested iframe is loaded without cookies

Categories

(Core :: Privacy: Anti-Tracking, defect, P2)

defect

Tracking

()

RESOLVED FIXED
127 Branch
Tracking Status
firefox127 --- fixed

People

(Reporter: jsnajdr, Assigned: bvandersloot)

Details

Attachments

(1 file)

Steps to reproduce:

  1. Be logged in into a site like wordpress.com as first party, have first party cookies stored for the site.
  2. Go to a different site like example.blog which embeds an iframe from wordpress.com/embed.
  3. This iframe is loaded without cookies, because 3rd party cookies are blocked. That's expected.
  4. In the wordpress.com/embed iframe, request storage access with document.requestStorageAccess(). It's granted.
  5. Now, create a nested iframe in the wordpress.com/embed iframe, and load a same-origin document into it, like wordpress.com/helper.

What I expected:
The wordpress.com/helper iframe is loaded with the first-party cookies for wordpress.com, because access to them has been explicitly granted.

What actually happened:
There are no cookies on the wordpress.com/helper request. On the other hand, if I do exactly the same request using fetch('./helper'), the first-party cookies are there. It's only the iframe request that omits them.

Chrome, in the same situation, would always send the wordpress.com cookies. Both on same-origin nested iframe (wordpress.com/*) and also on same-site nested iframe (public-api.wordpress.com/*).

I'm using the latest Firefox Nightly 124.0a1 (2024-01-24) (64-bit)

The Bugbug bot thinks this bug should belong to the 'Core::Privacy: Anti-Tracking' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: General → Privacy: Anti-Tracking
Product: Firefox → Core

Hello, and thank you for the report!

When you are reproducing this on Chrome, are you testing with third-party cookies disabled?

Flags: needinfo?(jsnajdr)

Hi Benjamin! Yes, in Chrome I'm testing with the "Block third-party cookies" option ON. I need to call requestStorageAccess in the embedded iframe in order to give it access to third-party cookies. Then both fetch and iframe src requests have the first-party cookies.

Flags: needinfo?(jsnajdr)

Ah, thank you! I will look into this- it does sound like a bug in our current implementation.

Flags: needinfo?(bvandersloot)
Assignee: nobody → bvandersloot
Attachment #9388778 - Attachment description: WIP: Bug 1876504 - Also allow a same-origin initiated iframe to get storage access from its parent - WIP → Bug 1876504 - Also allow a same-origin initiated iframe to get storage access from its parent - r=#anti-tracking!
Status: NEW → ASSIGNED

Following up- we follow the spec, but we are going to change the spec.

https://github.com/privacycg/storage-access/issues/197

Flags: needinfo?(bvandersloot)

After some discussion on the GitHub issue (https://github.com/privacycg/storage-access/issues/197#issuecomment-1988228533) I was able to work around this issue by reloading the frame after detecting that it doesn't have storage access.

Also, the behavior I reported here is probably not a bug after all. Originally I was not aware that the document that issues the load request for the iframe src URL is not the document that contains the iframe (and has storage access), but it's the contentDocument of the embedded frame. And that one doesn't have storage access until it explicitly asks for it.

By the way, after solving this problem, I immediately hit another problem that I believe is a Firefox bug: partitioned cookies (set with the Partitioned attribute) are not included in the document.cookie string: bug 1884648.

Severity: -- → S3
Priority: -- → P2
Pushed by bvandersloot@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/b80c30fdafc6
Also allow a same-origin initiated iframe to get storage access from its parent - r=anti-tracking-reviewers,timhuang
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/45717 for changes under testing/web-platform/tests
Status: ASSIGNED → RESOLVED
Closed: 2 months ago
Resolution: --- → FIXED
Target Milestone: --- → 127 Branch
Upstream PR merged by moz-wptsync-bot
Upstream PR merged by moz-wptsync-bot
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: