Opened 6 years ago

Closed 5 years ago

Last modified 5 years ago

#10285 closed task (fixed)

Write test pages for certain FF24 features

Reported by: mikeperry Owned by: gk
Priority: High Milestone:
Component: Firefox Patch Issues Version:
Severity: Keywords: ff24-esr, tbb-testcase
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

There are a couple of new Firefox features that may behave in unacceptable ways on some platforms. In particular, the web notifications api (https://developer.mozilla.org/en-US/docs/WebAPI/Using_Web_Notifications) could potentially introduce proxy bypass similar to what we saw with drag and drop url sniffing by the OS Desktop.

Similarly, if https://developer.mozilla.org/en-US/docs/Web/API/ClipboardEvent.clipboardData is able to randomly inspect the clipboard, this could be very privacy invasive. We should ensure that the clipboard APIs either ask the user first, or otherwise only interact with clipboard data originating from that same page.

There were also some changes to the Download Manager in terms of how it executes helper apps, and to the external app launcher's threading behavior. We should verify that our external app blocker still asks the user for confirmation in these cases:
https://bugzilla.mozilla.org/show_bug.cgi?id=858234
https://bugzilla.mozilla.org/show_bug.cgi?id=789932

Finally, support for querying and inspecting font variants was introduced. Do our font limit counters still apply in that case? Should they?
https://bugzilla.mozilla.org/show_bug.cgi?id=549861

Child Tickets

Change History (12)

comment:1 Changed 6 years ago by gk

Okay, the first test is here: https://people.torproject.org/~gk/clipboard.html
It shows that for some reason clipboardData data is only available for the paste event at the moment but that holds for cross-domain content as well. The unit tests to the bug introducing this new feature test copy and cut events as well but it might be that only chrome JS is allowed to get the data from them. I have not checked the patch close enough. Note: checking type text/x-moz-url is missing for a full-blown test.
Setting "dom.event.clipboardevents.enabled" to "false" might be the easiest for an ad-hoc solution.

Last edited 6 years ago by gk (previous) (diff)

comment:3 Changed 6 years ago by gk

Here is the URL for the external helper apps hook tests (actually, currently only one):

https://people.torproject.org/~gk/externalhelper.html

While I plan to update it successively, I found an issue that is already existing in TBBs based on ESR17. If you start the download of the resources linked to in externalhelper.html the external helper app dialog is not popping up anymore as soon as you start to download the third file (while the download of the first two has not finished yet). But it should do so for all four files. It might be better to open a separate ticket for this issue but IMO that one should get fixed first as we otherwise don't know whether a bug we find is due to the new things in ESR24 or not (but maybe that does not matter much, dunno).

comment:4 Changed 6 years ago by gk

For web notifications see: https://people.torproject.org/~gk/webnotification.html. I could not find a proxy bypass on Linux both when loading the HTML file via file:/// and via https://. But it seems the permission state is not cleared properly with New Identity as I am not asked again to give permission for the notification even if I only opted in for a session-wide permission.

comment:5 Changed 6 years ago by gk

Font feature properties are not so urgent to check (at least not for Fx24-ESR) as they are disabled on the release branch with "layout.css.font-features.enabled" set to "false". See #10299 for the new ticket.

comment:6 in reply to:  4 Changed 6 years ago by gk

Replying to gk:

For web notifications see: https://people.torproject.org/~gk/webnotification.html. I could not find a proxy bypass on Linux both when loading the HTML file via file:/// and via https://. But it seems the permission state is not cleared properly with New Identity as I am not asked again to give permission for the notification even if I only opted in for a session-wide permission.

I can't see any proxy bypass on my old Mac 10.6.8 either. The same holds for an Ubuntu 12.04 with Unity.

comment:7 in reply to:  3 Changed 6 years ago by gk

Replying to gk:

Here is the URL for the external helper apps hook tests (actually, currently only one):

https://people.torproject.org/~gk/externalhelper.html

While I plan to update it successively, I found an issue that is already existing in TBBs based on ESR17. If you start the download of the resources linked to in externalhelper.html the external helper app dialog is not popping up anymore as soon as you start to download the third file (while the download of the first two has not finished yet). But it should do so for all four files. It might be better to open a separate ticket for this issue but IMO that one should get fixed first as we otherwise don't know whether a bug we find is due to the new things in ESR24 or not (but maybe that does not matter much, dunno).

I can't reproduce that anymore, for whatever reason.

comment:8 in reply to:  4 ; Changed 6 years ago by gk

Replying to gk:

But it seems the permission state is not cleared properly with New Identity as I am not asked again to give permission for the notification even if I only opted in for a session-wide permission.

Permissions are not cleared at all on New Identity currently. But that would be easily doable with:

  let pm = Cc["@mozilla.org/permissionmanager;1"].
           getService(Ci.nsIPermissionManager);
  pm.removeAll();

That helps in the web notification case, too...

comment:9 Changed 6 years ago by mikeperry

Keywords: tbb-testcase added

comment:10 in reply to:  8 Changed 6 years ago by gk

Replying to gk:

Replying to gk:

But it seems the permission state is not cleared properly with New Identity as I am not asked again to give permission for the notification even if I only opted in for a session-wide permission.

Permissions are not cleared at all on New Identity currently. But that would be easily doable with:

  let pm = Cc["@mozilla.org/permissionmanager;1"].
           getService(Ci.nsIPermissionManager);
  pm.removeAll();

That helps in the web notification case, too...

That bug is handled in #10374.

comment:11 Changed 5 years ago by gk

Resolution: fixed
Status: newclosed

Closing as this was more an ad-hoc task for making sure ESR 24 has no bad surprises. "tbb-testcase" is the reminder to write proper tests using Mozilla's (unit)test infrastructure.

comment:12 in reply to:  1 Changed 5 years ago by gk

Replying to gk:

Okay, the first test is here: https://people.torproject.org/~gk/clipboard.html
It shows that for some reason clipboardData data is only available for the paste event at the moment but that holds for cross-domain content as well. The unit tests to the bug introducing this new feature test copy and cut events as well but it might be that only chrome JS is allowed to get the data from them. I have not checked the patch close enough. Note: checking type text/x-moz-url is missing for a full-blown test.
Setting "dom.event.clipboardevents.enabled" to "false" might be the easiest for an ad-hoc solution.

This has its own ticket now: #10593.

Note: See TracTickets for help on using tickets.