Open Bug 1961350 Opened 11 months ago Updated 11 months ago

[DNR] main_frame request without initiator should be firstParty, not thirdParty

Categories

(WebExtensions :: Request Handling, defect, P3)

Product:
WebExtensions
Component:
Request Handling
Type:
defect

Tracking

(Not tracked)

People

(Reporter: robwu, Unassigned, Mentored)

References

(Blocks 1 open bug)

Details

(Keywords: good-first-bug, Whiteboard: [wecg])

When we added support for domainType in DNR (bug 1797408), we matched Chrome's behavior.

Among the weirdness copied from Chrome was that the top-level document request (main_frame) is considered a third-party requests when the initiator is missing. This is implemented at https://searchfox.org/mozilla-central/rev/f3c8c63a097b61bb1f01e13629b9514e09395947/toolkit/components/extensions/ExtensionDNR.sys.mjs#1363-1366

In the WECG (https://github.com/w3c/webextensions/issues/731), we agreed that this case should be considered firstParty. Safari already has that behavior, and Chrome will change as well.

Note: this change only applies to missing initiators, not to the case where the initiator is an opaque origin (e.g. navigation from sandboxed iframe). See bug 1798225 for more details on the lack of support for matching opaque initiators.

Would be nice to get this into 140 because that is an ESR release, and we have cross-browser consensus that this is the direction to pursue.

Mentor: rob
Severity: -- → S3
Keywords: good-first-bug
Priority: -- → P3
You need to log in before you can comment on or make changes to this bug.