Opened 4 years ago

Closed 3 years ago

#16326 closed defect (fixed)

Verify cache isolation for Request and Fetch APIs

Reported by: mikeperry Owned by: arthuredelstein
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: ff45-esr, tbb-6.0a5, TorBrowserTeam201604R
Cc: gk, mcs, brade, arthuredelstein Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Two new APIs were added for downloading remote resources: Request and Fetch(). They probably use the main HTTP content cache, but we should make sure.

https://developer.mozilla.org/en-US/docs/Web/API/GlobalFetch/fetch
https://developer.mozilla.org/en-US/docs/Web/API/Request

Child Tickets

Change History (13)

comment:1 Changed 4 years ago by gk

Cc: gk added

comment:2 Changed 4 years ago by gk

The fetch API is still disabled in ESR 38: https://bugzilla.mozilla.org/show_bug.cgi?id=1133861.

comment:3 Changed 4 years ago by mikeperry

Keywords: tbb-5.0a TorBrowserTeam201507 added

Tag the set of things we should have implemented before a full 5.0 launch, and add them to the July radar.

comment:4 Changed 4 years ago by mcs

Cc: mcs brade added

comment:5 Changed 4 years ago by arthuredelstein

The Fetch API is off by default until Firefox 39. We can turn it on for testing by setting "dom.enabled.fetch" to true in FF 38. Weirdly, I can't get fetch(...) to cache the responses it receives, even if I include the option {cache: "force-cache"}.

comment:6 Changed 4 years ago by mikeperry

Keywords: ff45-esr added; ff38-esr tbb-5.0a TorBrowserTeam201507 removed

Ah, the same pref covers both fetch() and Request. Pushing this out to ff45-esr.

comment:7 in reply to:  5 Changed 4 years ago by arthuredelstein

Replying to arthuredelstein:

The Fetch API is off by default until Firefox 39. We can turn it on for testing by setting "dom.enabled.fetch" to true in FF 38. Weirdly, I can't get fetch(...) to cache the responses it receives, even if I include the option {cache: "force-cache"}.

Even more weird... the response apparently is cached. I wrote a simple example:
https://arthuredelstein.github.io/tordemos/fetch-caching.html

On the network panel of the developer console, I can see a 304 (not modified) response on the second load after clearing the cache. However, the fetched file does not appear in about:cache anywhere. So there's something odd going on.

I'm going to postpone further work on this until ff45-esr.

Last edited 4 years ago by arthuredelstein (previous) (diff)

comment:8 Changed 3 years ago by gk

Keywords: tbb-6.0a5 added

comment:9 Changed 3 years ago by arthuredelstein

Cc: arthuredelstein added
Owner: changed from tbb-team to arthuredelstein
Severity: Normal
Status: newaccepted

comment:10 Changed 3 years ago by gk

Keywords: TorBrowserTeam201604 added

We want that for the alpha and the ESR 45 stable series.

comment:11 Changed 3 years ago by arthuredelstein

Keywords: TorBrowserTeam201604R added; TorBrowserTeam201604 removed
Status: acceptedneeds_review

Here's a patch for review that provides regression tests for first-party cache isolation with fetch:
https://github.com/arthuredelstein/tor-browser/commit/72de4dd2ec86517f3707fb2159876464291544ca

(Note this `16326+2` branch also contains a commit to fix #18741. Once both commits are applied, then all the tests in ./mach mochitest netwerk/test/browser/browser_cacheFirstParty.js pass.)

comment:12 Changed 3 years ago by arthuredelstein

I have updated this work, here: #18741::comment:8
Please disregard the version in comment:11 of this ticket.

comment:13 Changed 3 years ago by gk

Resolution: fixed
Status: needs_reviewclosed

Fixed with commit 3560a0c1a998f1e875e06bea15fb3d1203da385e on tor-browser-45.0.2esr-6.x-1, thanks!

Note: See TracTickets for help on using tickets.