Open Bug 815345 Opened 7 years ago Updated 9 months ago

Potential Session Restore issues with Content Policies

Categories

(Firefox :: Security, defect)

x86
macOS
defect
Not set

Tracking

()

People

(Reporter: tanvi, Unassigned)

References

(Blocks 1 open bug, )

Details

(Keywords: helpwanted)

(Notes from bsmith)
The question is basically whether the mixed content blocker works correctly during session restore. My interpretation of Honza's comment is that during session restore, we load the content without checking with the content policies. I don't know if that is true or not, and I don't know if that is OK or not with respect to the mixed content blocker.

> * Session Store Issues - > [bsmith] - Keep in mind that you must serialize
> the mixed content state somewhere to disk to properly accommodate session
> restore. Currently, we do this in a very horrible way, serializing the
> nsIAssociatedContentSecurity from the channel into the HTTP cache. However,
> that causes many problems, so trying to do anything similar to that is a
> step backwards.

See https://bugzilla.mozilla.org/show_bug.cgi?id=782654#c51 and https://bugzilla.mozilla.org/show_bug.cgi?id=782654#c53 for more context.
Summary: Potential Session Store issues with Content Policies → Potential Session Restore issues with Content Policies
Tested this out on nightly by doing the following:

I went to preferences->content and changed the pref to remember my tabs and windows from the last session.

Went to about:config and set the pref to block mixed active content to true.

* Went to the following pages:
** https://people.mozilla.com/~tvyas/mixeddisplay.html (mixed display page).  It showed the globe.
** https://people.mozilla.com/~bsterne/tests/62178/test.html (mixed script page).  It showed the shield icon.  I override the blocking by clicking disable protection and get the triangle icon.
** https://people.mozilla.com/~tvyas/mixedcontent.html (mixed script page).  It shows the shield but I don't override blocking.
** https://people.mozilla.com/~tvyas/mixedcontent2.html (mixed script page).  It showed the shield icon.  I override the blocking by clicking disable protection and get the triangle icon.

* Quit the browser (Through command-Q or kill -9)

* Open the browser.  All the tabs are open with the following states
** https://people.mozilla.com/~tvyas/mixeddisplay.html - NO CHANGE
** https://people.mozilla.com/~bsterne/tests/62178/test.html - THE SHIELD AND LOCK ARE BACK.  Mixed active content does not load.
** https://people.mozilla.com/~tvyas/mixedcontent.html - NO CHANGE.
** https://people.mozilla.com/~tvyas/mixedcontent2.html - THE SHIELD AND LOCK ARE BACK.  Mixed active content does not load.

This looks pretty good to me.
I also tried this with a second window with 2 more mixed content tabs.

I removed the pref to remember my tabs and windows from the previous session and the used gdb and set a breakpoint in the MixedContentBlocker.  Then I clicked Restore Previous Session on the nightly start page.  The breakpoint was hit a number of times.

This implies that on Session Restore, we do infact go through the Content Policies, and hence session restore shouldn't be a problem for the Mixed Content Blocker.

I'm inclined to mark this works for me and close it.  Brian, let me know if you still have concerns.
You need to consider the case where the document has a script that loads from http://, and then the script deletes the script element from the DOM.
The problem occurs when there is a document.write.  Here is a test case that shows that on session restore, the user will see a lock instead of the mixed content triangle icon:
https://people.mozilla.com/~tvyas/sessionrestore.html
You need to log in before you can comment on or make changes to this bug.