Closed Bug 1637035 Opened 4 years ago Closed 4 years ago

Window global should only inherit COEP for http or initial about:blank documents

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla79
Tracking Flags:
Tracking Status
firefox78 --- wontfix
firefox79 --- fixed

People

(Reporter: valentin, Assigned: edenchuang)

References

Details

Attachments

(1 file)

Bug 1637035 - Do not inherit COEP from opener for non-http or non-initial-about:blank documents
(deleted), text/x-phabricator-request
Details

https://phabricator.services.mozilla.com/D46903#inline-433725

We should probably be null-checking inherit here, because opener->GetCurrentWindowContext could be null.

I'm a little worried that this will cause us to inherit a COEP for non-http, non-initial-about:blank documents when we shouldn't be. Reading the logic from https://wicg.github.io/cross-origin-embedder-policy/#ref-for-creating-a-new-browsing-context, it looks like we should only inherit from our creator context for the initial about:blank document, and not after that, which is not what the code is doing right now.

Nika, I am not entirely sure in which other situations WindowGlobalActor::BaseInitializer is getting called. Could you provide an example?

Flags: needinfo?(nika)

Or maybe you mean cases when we have the opener, but the opener's windowContext has changed in between opening the window and when the global is actually created?

I tried to clarify this over zoom today.

The issue is that we call WindowGlobalActor::BaseInitializer for every window which is loaded, meaning that we'll end up calling it multiple times. This could allow it to observe multiple different opener values over time, and inherit the flag for document loads which shouldn't be inheriting.

Flags: needinfo?(nika)
Assignee: nobody → echuang
Assignee: echuang → valentin.gosu

Hi Jens, I thought I'd be able to make this work, but I don't think my understanding of DOM code is quite good enough.
Could you find someone else to work on this?
Thanks!

Flags: needinfo?(jstutte)

Eden, Tom ?

Flags: needinfo?(ttung)
Flags: needinfo?(jstutte)
Flags: needinfo?(echuang)

I will help on this.

Flags: needinfo?(echuang)
Flags: needinfo?(ttung)

Thanks!

Assignee: valentin.gosu → echuang
Attachment #9158108 - Attachment description: Bug 1637035 - Do not inherit COEP from opener for non-http or non-initial-about:blank documents → Bug 1637035 - Inherit opener's COEP for initial-about:blank document
Attachment #9158108 - Attachment description: Bug 1637035 - Inherit opener's COEP for initial-about:blank document → Bug 1637035 - Do not inherit COEP from opener for non-http or non-initial-about:blank documents
Pushed by nerli@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/ec3fb1bc94ea
Do not inherit COEP from opener for non-http or non-initial-about:blank documents r=nika

https://hg.mozilla.org/mozilla-central/rev/ec3fb1bc94ea

Status: NEW → RESOLVED
Closed: 4 years ago
status-firefox79: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla79
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: