COOP 'unsafe-allow-outgoing' doesn't allow interacting with popups
Categories
(Core :: DOM: Core & HTML, defect, P2)
Tracking
()
Tracking | Status | |
---|---|---|
firefox69 | --- | fixed |
People
(Reporter: arturjanc, Assigned: valentin)
References
Details
(Whiteboard: [necko-triaged])
Attachments
(1 file)
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Steps to reproduce:
Version: 69.0a1 (2019-05-27) [with the browser.tabs.remote.useCrossOriginOpenerPolicy config option set to True]
Reproduction steps:
- Go to https://arturjanc.com/cgi-bin/coop/ff-unsafe-allow-outgoing.py
- Click "Open popup"
Actual results:
Setting a COOP response header of Cross-Origin-Opener-Policy: same-origin unsafe-allow-outgoing
should allow auxiliary browsing contexts (popups) to live in the same browsing context group as the opener.
However, it seems like this currently doesn't work and the newly opened window loses access to its window.opener.
Details:
- Opener origin and COOP: arturjanc.com / same-origin unsafe-allow-outgoing
- Openee origin and COOP: victim.arturjanc.com / [none]
Expected results:
The newly opened window should keep a reference to its window.opener.
Updated•5 years ago
|
Assignee | ||
Comment 1•5 years ago
|
||
I think the problem is here [1]
We check if the document has a null principal to mean that it's about:blank, which probably isn't correct.
Updated•5 years ago
|
Assignee | ||
Comment 2•5 years ago
|
||
https://gist.github.com/annevk/6f2dd8c79c77123f39797f6bdac43f3e
If the result of comparing currentCOOP, currentOrigin, potentialCOOP, and potentialOrigin is false and one of the following is false
doc is the initial about:blank document
currentCOOP's unsafe-allow-outgoing is true
potentialCOOP is null
For the example in comment 0, even though unsafe-allow-outgoing is true
, the doc is the initial about:blank document
condition will still be false, so we end up switching processes.
Anne, can you verify that the conditions are correct?
Comment 3•5 years ago
|
||
So the popup starts as about:blank and then navigates to a document without COOP, right? Doesn't that mean that doc is the initial about:blank document, currentCOOP's unsafe-allow-outgoing is true, and potentialCOOP is null is true? So none are false?
Assignee | ||
Comment 4•5 years ago
|
||
(In reply to Anne (:annevk) from comment #3)
So the popup starts as about:blank and then navigates to a document without COOP, right?
That's what I would have expected too, but instead I get this:
doc origin:https://arturjanc.com/cgi-bin/coop/ff-unsafe-allow-outgoing.py
res origin: https://victim.arturjanc.com/cgi-bin/coop/new-window.py?coop=none
Nika, I get the document origin like this
documentOrigin = ctx->Canonical()->GetCurrentWindowGlobal()->DocumentPrincipal();
Is this correct, or is there another way of checking if this is a newly opened popup?
Comment 5•5 years ago
|
||
(In reply to Valentin Gosu [:valentin] (he/him) from comment #4)
Is this correct, or is there another way of checking if this is a newly opened popup?
Hmm, it depends on when this check is happening. The GetCurrentWindowGlobal()
property of the CanonicalBrowsingContext
is only updated async when the document itself is actually attached, so there's a chance that when you're doing the check you're observing an out-of-date WindowGlobalParent.
The other possibility is that there's a bug with how we determine the principal for a WindowGlobalParent, but I'm hoping that's not the case. It would imply that a single global can have multiple associated origins during its lifetime, which would be scary. The most likely situation if that is the case is that the principal is being delayed-initialized through some mechanism which should be modernized.
Assignee | ||
Comment 6•5 years ago
|
||
For a popup, the principal will be that of the opener, so we can't use that to
determine if the window is about:blank. Instead we use the documentURI.
Comment 7•5 years ago
|
||
You need another bit though, "initial" is important here. Otherwise navigating to about:blank would end up being some kind of escape, right?
Assignee | ||
Comment 8•5 years ago
|
||
(In reply to Anne (:annevk) from comment #7)
You need another bit though, "initial" is important here. Otherwise navigating to about:blank would end up being some kind of escape, right?
I am not sure if the "initial" bit is easy to figure out.
But that's a great point regarding navigating to about:blank - what I think happens at the moment - we load about:blank in the same process. The COOP stays the same. When attempting to navigate away from about:blank, the origin of about:blank shouldn't match the new origin, regardless of the policy, so we'd load always it in a new process.
I'll need to add a test for this.
Updated•5 years ago
|
Comment 10•5 years ago
|
||
bugherder |
Comment 11•5 years ago
|
||
bugherder |
Updated•5 years ago
|
Description
•