Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prune location.ancestorOrigins entries #33671

Open
fmarier opened this issue Oct 16, 2023 · 4 comments
Open

Prune location.ancestorOrigins entries #33671

fmarier opened this issue Oct 16, 2023 · 4 comments
Labels
OS/Android Fixes related to Android browser functionality OS/Desktop priority/P4 Planned work. We expect to get to it "soon". privacy

Comments

@fmarier
Copy link
Member

fmarier commented Oct 16, 2023

location.ancestorOrigins allows embedded pages to know the origin of all of the parent pages.

For example, if a.com iframes b.com which itself iframes c.com, then the innermost frame (c.com) can see: [b.com, a.com]

Previously, only the immediate parent was visible via the Referer header or document.referrer property.

Firefox has not yet implemented this, but is considering doing so in a way that does not leak a.com to c.com:

  • show the parent origin unless the referrer would be omitted based on a.com's referrer policy
  • only expose the number of other ancestor origins

In our example, Firefox would therefore hypothetically return [b.com, "null"] where "null" does include the quotes.
@fmarier fmarier added privacy OS/Android Fixes related to Android browser functionality OS/Desktop labels Oct 16, 2023
@fmarier
Copy link
Member Author

fmarier commented Oct 16, 2023

Test page: https://fmarier.com/referrer/frames.html

@ShivanKaul
Copy link
Collaborator

@pes10k suggested checking Chrome web data for prevalence.

@ShivanKaul ShivanKaul added the needs-investigation A bug not 100% confirmed/fixed label Oct 17, 2023
@pes10k
Copy link
Contributor

pes10k commented Oct 17, 2023

here is the chrome web data info: https://chromestatus.com/metrics/feature/timeline/popularity/823

TL;DR; it looks very uncommon, and so its either a very low risk, or Chrome stoped instrumenting it.

@fmarier fmarier removed the needs-investigation A bug not 100% confirmed/fixed label Oct 18, 2023
@fmarier fmarier mentioned this issue Nov 7, 2023
Closed
@ShivanKaul ShivanKaul added the priority/P4 Planned work. We expect to get to it "soon". label Nov 14, 2023
@tophf
Copy link

tophf commented Nov 30, 2023

or Chrome stoped instrumenting it.

Yes, it stopped in 2017, and can be enabled only explicitly by making a build with compile-time flags enable_blink_bindings_tracing, extended_tracing_enabled. You can see the new histogram by git-blaming the source.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
OS/Android Fixes related to Android browser functionality OS/Desktop priority/P4 Planned work. We expect to get to it "soon". privacy
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@pes10k @fmarier @tophf @ShivanKaul