Closed
Bug 1492607
Opened 6 years ago
Closed 6 years ago
Prevent postMessage communication across first-party when restrict_opener_access = true
Categories
(Core :: DOM: Security, defect, P3)
Core
DOM: Security
Tracking
()
RESOLVED
FIXED
mozilla65
Tracking | Status | |
---|---|---|
firefox65 | --- | fixed |
People
(Reporter: arthur, Assigned: timhuang)
References
(Blocks 1 open bug)
Details
(Whiteboard: [domsecurity-backlog1])
Attachments
(3 files)
STR:
Set "privacy.firstparty.isolate" to true.
Set "privacy.firstparty.isolate.restrict_opener_access" to true.
Open https://torpat.ch in a new tab.
In the web console, enter
let myWindow;
document.addEventListener("click", () => myWindow = window.open("https://arthuredelstein.net"));
Now click on the torpat.ch document and a new tab opens.
In the web console for each tab, write:
window.onmessage = e => console.log(e);
Now in the torpat.ch console, enter:
myWindow.postMessage("hello from torpat.ch", "*");
In the arthuredelstein.net console, enter:
window.opener.postMessage("hello from arthuredelstein.net", "*");
Expected results:
Communication should not happen between documents with a different first-party.
Actual result:
Messages can be passed in both directions.
Note: We should check the case where iframes open a new tab as well.
Comment 1•6 years ago
|
||
This seems like it has a very good chance of breaking FPI login flows. (ni-ing Steve just in case he happens to know off the top of his head based on his prior investigation.)
For the benefit of our users who have FPI turned on, I think we should be conservative with this change and make it preffed off by default. Granted, FPI is not a supported feature, but we appreciate the bug reports people provide about it, and annoying them all seems detrimental if it's easily avoidable. Also, it will give us an opportunity to slowly roll it out to ourselves and early testers and collect bug reports while not being deluged.
Reporter | ||
Comment 2•6 years ago
|
||
One idea we discussed, to mitigate the breaking of login flows, is to pop up a permissions doorhanger whenever either tab attempts a postMessage. The doorhanger can ask the user: "Would you like A.com to share information about you with B.com?" Then, depending on the user's answer, the message is either allowed to proceed or canceled.
This idea takes advantage of the asynchronous behavior of postMessage. I don't see any easy solution for synchronous access via window.opener.document.
Updated•6 years ago
|
Priority: -- → P3
Whiteboard: [domsecurity-backlog1]
Assignee | ||
Updated•6 years ago
|
Assignee: nobody → tihuang
Assignee | ||
Comment 3•6 years ago
|
||
Assignee | ||
Comment 4•6 years ago
|
||
Depends on D8521
Updated•6 years ago
|
Attachment #9016626 -
Attachment description: Bug 1492607 - Part 2: Add a test case for assuring postMessage cannot post across OAs when the targetOrigin is "*." → Bug 1492607 - Part 2: Add a test case for assuring postMessage cannot post across OAs
Assignee | ||
Comment 5•6 years ago
|
||
Per discussion with Baku, we are not 100% sure about entirely blocking the postMessage across for FPI in our side since it may break websites, like SSO. But we pretty sure that Tor wants this, so I will add a pref for controlling the blocking behavior here.
Assignee | ||
Comment 6•6 years ago
|
||
It turns out this patch breaks a bunch of tests. Most of the cases are the chrome wants to post messages to content to do some test. For example, a browser chrome test uses ContentTask.spawn() to inject code to post a message to a private browsing window. Because of the injected code will be executed under the system principal and its OA mismatches with the OA of the private browsing window. So, it will hit the assertion.
I would suggest that we skip the check if the subject principal is the system principal.
Assignee | ||
Comment 7•6 years ago
|
||
It turns out that many tests are going to post Messages to content
from chrome with a mismatched OA. This patch exempt the check in that
case.
Depends on D8522
Assignee | ||
Comment 8•6 years ago
|
||
Pushed by tihuang@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/dfc3795ef568
Part 1: Making postMessage to be aware of OAs when the targetOrigin is "*." r=arthuredelstein,baku
https://hg.mozilla.org/integration/autoland/rev/0b4b3d826b3f
Part 2: Add a test case for assuring postMessage cannot post across OAs r=arthuredelstein,baku
https://hg.mozilla.org/integration/autoland/rev/44cd913c18f8
Part 3: Exempting the check of OAs for postMessage with the target origin is '*' if it is coming from the system principal r=baku
Comment 10•6 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/dfc3795ef568
https://hg.mozilla.org/mozilla-central/rev/0b4b3d826b3f
https://hg.mozilla.org/mozilla-central/rev/44cd913c18f8
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox65:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla65
You need to log in
before you can comment on or make changes to this bug.
Description
•