Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow storage in 1p iframes, regardless of the relative parents of that 1p iframe #9105

Closed
pes10k opened this issue Apr 9, 2020 · 3 comments · Fixed by brave/brave-core#5433
Closed

Allow storage in 1p iframes, regardless of the relative parents of that 1p iframe #9105

pes10k opened this issue Apr 9, 2020 · 3 comments · Fixed by brave/brave-core#5433
Labels
closed/fixed-by-component-update feature/cookies pr/pending-review QA/No release-notes/include webcompat/not-shields-related Sites are breaking because of something other than Shields.
Milestone
1.9.x - Release H...

Comments

@pes10k
Copy link
Contributor

pes10k commented Apr 9, 2020

Currently storage is blocked in 3p frames, where 3p-ness is determined relative to the parent frame. So, all the following are true:

3p frames get no storage

https://example.com <-- storage
  <iframe src="//other.com"> <-- no storage

same origin frames get storage

https://example.com <-- storage
  <iframe src="//example.com"> <-- storage
      <iframe src="//other.com"> <-- no storage

frames that have the same origin as the top level document, but are embedded in a 3p frame, also don't get storage.

https://example.com <-- storage
  <iframe src="//other.com"> <-- no storage
      <iframe src="//example.com"> <-- ALSO no storage

This breaks some sites, specially wordpress's dashboard, which has the following pattern

https://yoursite.wordpress.com
  <iframe src="//api.wp.com"> <-- no storage
      <iframe src="//yoursite.wordpress.com"> <-- ALSO no storage

We can unbreak wordpress here by changing the storage rule to being: frames get storage if they're the same eTLD+1 as the top level document, regardless of immediate parent document.

This doesn't add any direct privacy loss, but as a side effect of unbreaking sites, might also re-enable some privacy harming flows.

Related: #9064
@pes10k pes10k added webcompat/not-shields-related Sites are breaking because of something other than Shields. feature/cookies Webcompat issue resolved labels Apr 9, 2020
@pes10k
Copy link
Contributor Author

pes10k commented May 12, 2020

Fixed by @bridiver this is fixed by brave/brave-core#5433

@pes10k pes10k closed this as completed May 12, 2020
@rebron rebron added this to the 1.10.x - Nightly milestone May 12, 2020
@LaurenWags
Copy link
Member

@pes10k @bridiver does this require manual QA? If so, please add QA/Yes label and a test plan. If not, please add QA/No label. Thanks!

@bridiver bridiver mentioned this issue May 27, 2020
Merged
32 tasks
@bsclifton bsclifton mentioned this issue May 27, 2020
Merged
4 tasks
This was referenced May 27, 2020
Closed
Closed
Closed
@LaurenWags
Copy link
Member

Marking as QA/Blocked until there is a test plan.

@rebron rebron added QA/No and removed QA/Yes labels May 28, 2020
@rebron rebron changed the title Allow storage in 1p frames, regardless of the relative parents of that 1p frame Allow storage in 1p iframes, regardless of the relative parents of that 1p iframe May 29, 2020
@LaurenWags LaurenWags mentioned this issue May 29, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
closed/fixed-by-component-update feature/cookies pr/pending-review QA/No release-notes/include webcompat/not-shields-related Sites are breaking because of something other than Shields.
Projects
None yet
Milestone
1.9.x - Release Hotfix 1
Development

Successfully merging a pull request may close this issue.

allow first party iframes embedded in 3rd-party origins plus exceptio… brave/brave-core
5 participants
@bridiver @pes10k @bbondy @rebron @LaurenWags