Opened 3 years ago

Last modified 20 months ago

#15954 new defect

Canvas permission and HTTP auth still use FQDN isolation

Reported by: mikeperry Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-usability-website, tbb-linkability
Cc: gk, brade, mcs, fdsfgs@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

In #15933, we relaxed our domain isolation to use TLD instead of FQDN, because FQDN isolation was breaking several sites. However, the HTTP auth and the canvas permissions were not using the same ThirdPartyUtil::GetFirstPartyHostForIsolation() API as everything else was.

We should fix their behavior to use TLD isolation for consistency. I bet some sites will still break due to FQDN isolated HTTP auth in particular..

Child Tickets

Change History (8)

comment:1 Changed 3 years ago by gk

Cc: gk added

comment:2 Changed 3 years ago by mcs

Cc: brade mcs added

comment:3 Changed 3 years ago by mikeperry

The FQDN HTTP auth check here might actually be the root cause of #14089.

comment:4 in reply to:  description Changed 3 years ago by gk

Replying to mikeperry:

We should fix their behavior to use TLD isolation for consistency. I bet some sites will still break due to FQDN isolated HTTP auth in particular..

#16450 might be another case where this happens.

comment:5 Changed 2 years ago by bugzilla

Severity: Normal

Ticket for adding to Mozilla first-party isolation effort.

comment:6 Changed 2 years ago by gk

Keywords: tbb-linkability added

Do we have a testcase for this showing that it is still an issue? Even with the patches landed in mozilla52?

comment:7 Changed 21 months ago by vynX

gk: Try making yourself an account on addons.mozilla.org and log in.

comment:8 Changed 20 months ago by tokotoko

Cc: fdsfgs@… added
Note: See TracTickets for help on using tickets.