Opened 4 years ago
Last modified 2 years ago
#15954 new defect
Canvas permission and HTTP auth still use FQDN isolation
| Reported by: | mikeperry | Owned by: | tbb-team |
|---|---|---|---|
| Priority: | Medium | Milestone: | |
| Component: | Applications/Tor Browser | Version: | |
| Severity: | Normal | Keywords: | tbb-usability-website, tbb-linkability |
| Cc: | gk, brade, mcs, fdsfgs@… | Actual Points: | |
| Parent ID: | Points: | ||
| Reviewer: | Sponsor: |
Description
In #15933, we relaxed our domain isolation to use TLD instead of FQDN, because FQDN isolation was breaking several sites. However, the HTTP auth and the canvas permissions were not using the same ThirdPartyUtil::GetFirstPartyHostForIsolation() API as everything else was.
We should fix their behavior to use TLD isolation for consistency. I bet some sites will still break due to FQDN isolated HTTP auth in particular..
Child Tickets
Change History (8)
comment:1 Changed 4 years ago by
| Cc: | gk added |
|---|
comment:2 Changed 4 years ago by
| Cc: | brade mcs added |
|---|
comment:3 Changed 4 years ago by
comment:4 Changed 4 years ago by
comment:5 Changed 2 years ago by
| Severity: | → Normal |
|---|
Ticket for adding to Mozilla first-party isolation effort.
comment:6 Changed 2 years ago by
| Keywords: | tbb-linkability added |
|---|
Do we have a testcase for this showing that it is still an issue? Even with the patches landed in mozilla52?
comment:7 Changed 2 years ago by
gk: Try making yourself an account on addons.mozilla.org and log in.
comment:8 Changed 2 years ago by
| Cc: | fdsfgs@… added |
|---|
Note: See
TracTickets for help on using
tickets.
The FQDN HTTP auth check here might actually be the root cause of #14089.