Open Bug 1553105 Opened 5 years ago Updated 10 months ago

Only return an origin for schemes that are allowed in the URL spec

Categories

(Core :: Networking, task, P2)

Product:
Core
Component:
Networking
Type:
task

Tracking

()

People

(Reporter: valentin, Assigned: dotoole)

References

(Blocks 6 open bugs)

Details

(Whiteboard: [necko-triaged])

Attachments

(1 file, 3 obsolete files)

Bug 1553105 added a scheme check to return origins if scheme is allowed in URL spec. r=valentin
(deleted), text/x-phabricator-request
Details

It seems we have a bunch of tests that rely on chrome:// and moz-extension:// schemes having a non-null origin.
We should either fix the tests, or make sure that we properly address these exceptions.

There's a web-platform-test expecting the origin for a ssh URI to be null

Depends on D30711

In Thunderbird we're using a chrome:// origin to be able to store permissions for an email address. https://searchfox.org/comm-central/rev/f759b2f94ff3ef9057f58b9b2dc36fea7994bb9d/mailnews/base/util/mailnewsMigrator.js#155
It's of course a hack...

(In reply to Magnus Melin [:mkmelin] from comment #2)

In Thunderbird we're using a chrome:// origin to be able to store permissions for an email address.

Thanks for letting me know. We could ifdef the exceptions for Thunderbird, but I expect we'll have the same exceptions in m-c for a while ☺

Valentin,

We have an ongoing effort to bring new protocols like ipfs, dat, ssb, ... into Firefox via WebExtensions (tracked by bug 1271553). This change implies that all of them will get origin "null" which in turn would disable important web capabilities.

Any chance we could figure out a solution that would enable such new protocols to continue having origin ?

Hi Irakli,

Would it be OK if we just allow origins for dweb,dat,ipfs,ipns,ssb,wtp or do we need something more extensible?
I intend to land this along with bug 1603699

Flags: needinfo?(rFobic)

Hi Valentin,

I apologize for the delay in response. I have discussed this with @bz in the past and I believe we came to conclusion that ideally we’ll have a static list of protocols and RWLock protected dynamic list as a last resort for unknown protocol schemes. That should allow add-ons to experiment with different protocols without having to patch the Firefox.

More details can be found in Bug 1569733.

Flags: needinfo?(rFobic)

I think the way we should fix this is that there's a public origin (spec algorithm) and a private origin (that accounts for chrome:// and friends). In particular new URL() should do the right thing and not reveal we have special code for chrome://.

Severity: normal → S3
Blocks: 1603699
Duplicate of this bug: 1821343
Attachment #9337060 - Attachment description: Bug 1553105 added a scheme check to return origins if scheme is allowed in URL spec. r=valentin → Bug 1553105 added a scheme check to return origin if scheme is allowed in URL spec. r=valentin
Attachment #9337060 - Attachment description: Bug 1553105 added a scheme check to return origin if scheme is allowed in URL spec. r=valentin → Bug 1553105 added a scheme check to return origins if scheme is allowed in URL spec. r=valentin
Attachment #9066380 - Attachment is obsolete: true
Attachment #9337745 - Attachment is obsolete: true
Attachment #9337753 - Attachment is obsolete: true
Assignee: valentin.gosu → dotoole
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: