Closed Bug 1898427 Opened 1 month ago Closed 1 month ago

Enabling CHIPS after creating a partitioned cookie crashes the browser (EXC_BAD_ACCESS (SIGSEGV))

Categories

(Core :: Privacy: Anti-Tracking, defect, P3)

Product:
Core
Component:
Privacy: Anti-Tracking
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
128 Branch
Tracking Flags:
Tracking Status
firefox128 --- fixed

People

(Reporter: nchevobbe, Assigned: timhuang)

References

(Blocks 1 open bug)

Details

Attachments

(2 files)

crash trace
272.10 KB, text/plain
Details
Bug 1898427 - Only apply CHIPS behavior if storage partitioning is enabled for the context. r?bvandersloot!
48 bytes, text/x-phabricator-request
Details | Review
Attached file crash trace

Not sure how reproducible it is, but I got a few crashes while working on Bug 1895215

  1. With network.cookie.cookieBehavior.optInPartitioning set to true, and network.cookie.CHIPS.enabled set to false
  2. On any tab, open DevTools Console
  3. Evaluate document.cookie="foo=bar; Secure; Partitioned;"
  4. Then go to about:config and set network.cookie.CHIPS.enabled to true
  5. Go back to your tab and reload it

-> the browser crashes (see attachement)

now, whenever I try to open the browser with this profile, I get an instant crash

Summary: Enabling CHIPS after creating a partitioned cookie crashes the browser → Enabling CHIPS after creating a partitioned cookie crashes the browser (EXC_BAD_ACCESS (SIGSEGV))
Assignee: nobody → tihuang
Status: NEW → ASSIGNED
Blocks: chips
Severity: -- → S2
Priority: -- → P3

There are some situations that we don't apply storage partitioning, such
as tracker request, privilege reqeusts, and extension requests. In these
case, we don't need to apply CHIPS behavior. Otherwise, we will hit
certain assertions based on partitioning behavior.

In this patch, we also change the way how we determine if a request is
unpartitioned for HTTP requests and tackle an edge cases for extension's
requests.

Pushed by tihuang@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/9618551d3f9f
Only apply CHIPS behavior if storage partitioning is enabled for the context. r=bvandersloot,cookie-reviewers,anti-tracking-reviewers,edgul

Backed out for causing mochitests assertion failures in CookieService.cpp.

Flags: needinfo?(tihuang)
Depends on: 1899138
Flags: needinfo?(tihuang)
Pushed by tihuang@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/0f8c4fe70cab
Only apply CHIPS behavior if storage partitioning is enabled for the context. r=bvandersloot,cookie-reviewers,anti-tracking-reviewers,edgul

https://hg.mozilla.org/mozilla-central/rev/0f8c4fe70cab

Status: ASSIGNED → RESOLVED
Closed: 1 month ago
status-firefox128: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 128 Branch
Group: core-security

I assume that this bug is the same as bug 1896241? I don't have access to the other so I cannot see if there is a patch or marked as fixed because of the landing of this patch.

Group: core-security → core-security-release

(In reply to Henrik Skupin [:whimboo][⌚️UTC+1] from comment #6)

I assume that this bug is the same as bug 1896241? I don't have access to the other so I cannot see if there is a patch or marked as fixed because of the landing of this patch.

Why do you say it is the same thing? Both look related to CHIPS but I'm not sure how they are the same thing.

Flags: needinfo?(hskupin)

Oh, you are right. Only the first frame for AppendElementsInternal from bug 1898700 was identical, which was duped against that before-mentioned bug that I'm not able to see. So please ignore my comment.

Flags: needinfo?(hskupin)
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: