94888 – Make plugins respect third-party storage blocking setting

Bug 94888 - Make plugins respect third-party storage blocking setting

Summary: Make plugins respect third-party storage blocking setting

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebCore Misc. (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Vicki Pfau

URL:
Keywords:	InRadar

Depends on:	95935
Blocks:
	Show dependency tree / graph

Reported:	2012-08-23 18:35 PDT by Vicki Pfau
Modified:	2012-09-05 22:48 PDT (History)
CC List:	3 users (show)

See Also:

Attachments
Patch (9.84 KB, patch) 2012-08-23 18:38 PDT, Vicki Pfau	no flags	Details \| Formatted Diff \| Diff
Patch (16.87 KB, patch) 2012-08-29 18:26 PDT, Vicki Pfau	beidson: review+	Details \| Formatted Diff \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Vicki Pfau 2012-08-23 18:35:10 PDT

Plugins are a common vector for storing tracking data about a user. As we are implementing a setting for disallowing pages in a third-party context from accessing storage, plugins should be subject to the same restriction.

<rdar://problem/8830539>

Comment 1 Vicki Pfau 2012-08-23 18:38:15 PDT

Created attachment 160307 [details]
Patch

Comment 2 Vicki Pfau 2012-08-23 18:40:16 PDT

This patch works by forcing the plugin into private browsing mode when it's in a third-party context. I'm a bit concerned that it might not work exactly as desired because I'm not sure if it correctly handles private browsing mode changing.

The patch only applies for WK2 currently, as WebKit 1 doesn't have an API for this currently.

Comment 3 Adam Barth 2012-08-23 20:54:22 PDT

I don't know how private browsing mode works for plugins, but does this create a leak between normal and private modes?  For example, if I wanted to learn what someone was up to in private browsing mode, could I put a plugin in a third-party context and then get access to that information?

Comment 4 Vicki Pfau 2012-08-27 15:25:01 PDT

(In reply to comment #3)
> I don't know how private browsing mode works for plugins, but does this create a leak between normal and private modes?  For example, if I wanted to learn what someone was up to in private browsing mode, could I put a plugin in a third-party context and then get access to that information?

I talked to people who know more than me about how plugins work, and they say that this shouldn't be a concern. The private browsing context is only for the plugin and not the whole document, so document/page acts as if it's a normal (but third-party) context, and the plugin just can't read/write LSOs.

Comment 5 Adam Barth 2012-08-27 15:30:47 PDT

Comment on attachment 160307 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=160307&action=review

> Source/WebKit2/WebProcess/Plugins/PluginView.cpp:1265
> +    if (frame()->document() && !frame()->document()->securityOrigin()->canAccessPluginStorage(frame()->document()->topDocument()->securityOrigin()))

How can frame()->document() be 0?  That shouldn't be possible.

frame()->document()->topDocument() seems like needless indirection.  You're going to the Document, which just goes back to the Frame.  Why not just frame()->tree()->top()->document() ?

Comment 6 Adam Barth 2012-08-27 15:31:27 PDT

This patch is fine from my PoV, but I don't really know how isPrivateBrowsingEnabled is it's probably better if someone who knows about plug-ins does the official review.

Comment 7 Vicki Pfau 2012-08-27 15:59:09 PDT

(In reply to comment #5)
> (From update of attachment 160307 [details])
> View in context: https://bugs.webkit.org/attachment.cgi?id=160307&action=review
> 
> > Source/WebKit2/WebProcess/Plugins/PluginView.cpp:1265
> > +    if (frame()->document() && !frame()->document()->securityOrigin()->canAccessPluginStorage(frame()->document()->topDocument()->securityOrigin()))
> 
> How can frame()->document() be 0?  That shouldn't be possible.

I didn't know if it was possible, so I added that check to be safe (I thought it was, but I guess not).

> frame()->document()->topDocument() seems like needless indirection.  You're going to the Document, which just goes back to the Frame.  Why not just frame()->tree()->top()->document() ?

I also didn't realize that you could just do this. I've been using topDocument() in all other locations, so I just did that here too. That might work better.

Comment 8 Adam Barth 2012-08-27 16:30:05 PDT

> I didn't know if it was possible, so I added that check to be safe (I thought it was, but I guess not).

It used to be possible, but it's not possible anymore.  Most code that null checks the document is doing so needlessly.

> > frame()->document()->topDocument() seems like needless indirection.  You're going to the Document, which just goes back to the Frame.  Why not just frame()->tree()->top()->document() ?
> 
> I also didn't realize that you could just do this. I've been using topDocument() in all other locations, so I just did that here too. That might work better.

topDocument() is fine when you're working with a Document as your context object.  If you've already got a Frame, there's no reason to traverse to the Document just to traverse back to the Frame.

Comment 9 Vicki Pfau 2012-08-29 18:26:58 PDT

Created attachment 161382 [details]
Patch

Comment 10 Brady Eidson 2012-08-30 13:50:43 PDT

Comment on attachment 161382 [details]
Patch

Please make sure to file a bug for the followup task of dynamically updating all interested parties when the state changes, as we discussed.

Comment 11 Vicki Pfau 2012-09-04 15:21:37 PDT

Committed r127513: <http://trac.webkit.org/changeset/127513>