Opened 3 years ago
Last modified 18 months ago
#15954 new defect
Canvas permission and HTTP auth still use FQDN isolation
| Reported by: | mikeperry | Owned by: | tbb-team |
|---|---|---|---|
| Priority: | Medium | Milestone: | |
| Component: | Applications/Tor Browser | Version: | |
| Severity: | Normal | Keywords: | tbb-usability-website, tbb-linkability |
| Cc: | gk, brade, mcs, fdsfgs@… | Actual Points: | |
| Parent ID: | Points: | ||
| Reviewer: | Sponsor: |
Description
In #15933, we relaxed our domain isolation to use TLD instead of FQDN, because FQDN isolation was breaking several sites. However, the HTTP auth and the canvas permissions were not using the same ThirdPartyUtil::GetFirstPartyHostForIsolation() API as everything else was.
We should fix their behavior to use TLD isolation for consistency. I bet some sites will still break due to FQDN isolated HTTP auth in particular..
Child Tickets
Change History (8)
comment:1 Changed 3 years ago by
| Cc: | gk added |
|---|
comment:2 Changed 3 years ago by
| Cc: | brade mcs added |
|---|
comment:3 Changed 3 years ago by
comment:4 Changed 3 years ago by
comment:5 Changed 22 months ago by
| Severity: | → Normal |
|---|
Ticket for adding to Mozilla first-party isolation effort.
comment:6 Changed 22 months ago by
| Keywords: | tbb-linkability added |
|---|
Do we have a testcase for this showing that it is still an issue? Even with the patches landed in mozilla52?
comment:7 Changed 19 months ago by
gk: Try making yourself an account on addons.mozilla.org and log in.
comment:8 Changed 18 months ago by
| Cc: | fdsfgs@… added |
|---|
Note: See
TracTickets for help on using
tickets.
The FQDN HTTP auth check here might actually be the root cause of #14089.