Opened 3 years ago
Last modified 20 months ago
#15954 new defect
Canvas permission and HTTP auth still use FQDN isolation
| Reported by: | mikeperry | Owned by: | tbb-team |
|---|---|---|---|
| Priority: | Medium | Milestone: | |
| Component: | Applications/Tor Browser | Version: | |
| Severity: | Normal | Keywords: | tbb-usability-website, tbb-linkability |
| Cc: | gk, brade, mcs, fdsfgs@… | Actual Points: | |
| Parent ID: | Points: | ||
| Reviewer: | Sponsor: |
Description
In #15933, we relaxed our domain isolation to use TLD instead of FQDN, because FQDN isolation was breaking several sites. However, the HTTP auth and the canvas permissions were not using the same ThirdPartyUtil::GetFirstPartyHostForIsolation() API as everything else was.
We should fix their behavior to use TLD isolation for consistency. I bet some sites will still break due to FQDN isolated HTTP auth in particular..
Child Tickets
Change History (8)
comment:1 Changed 3 years ago by
| Cc: | gk added |
|---|
comment:2 Changed 3 years ago by
| Cc: | brade mcs added |
|---|
comment:3 Changed 3 years ago by
comment:4 Changed 3 years ago by
comment:5 Changed 2 years ago by
| Severity: | → Normal |
|---|
Ticket for adding to Mozilla first-party isolation effort.
comment:6 Changed 2 years ago by
| Keywords: | tbb-linkability added |
|---|
Do we have a testcase for this showing that it is still an issue? Even with the patches landed in mozilla52?
comment:7 Changed 21 months ago by
gk: Try making yourself an account on addons.mozilla.org and log in.
comment:8 Changed 20 months ago by
| Cc: | fdsfgs@… added |
|---|
Note: See
TracTickets for help on using
tickets.
The FQDN HTTP auth check here might actually be the root cause of #14089.