-
Notifications
You must be signed in to change notification settings - Fork 38
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Manually rewrite cookies for container requests #687
base: master
Are you sure you want to change the base?
Conversation
Yup, this was also on my mind when I did the work for manifest v3. |
This is what we have now. Looking at the code in this PR we might be able to leverage the cookieID as a prefix to store cache. Assuming the ID is always the same from related tabs (I assume it is). We still need to implement a method that cleans up the cache after a while, but it gets us halfway there. |
Now that I'm looking at this again, there are security concerns with this solution. A malicious webpage could make a request to Reddit setting our cookie store header set and use that to send Reddit requests using credentials from other containers. This would require knowledge of the cookie store IDs ahead of time, but I would want to look into ways to mitigate this before releasing. |
Previously any request could have the cookie store ID header set, resulting in Toolbox sending cookies that the originator isn't supposed to have access to. By instead generating a random ID for the header value and storing the cookie store ID in an object keyed by this random value, we can ensure that only Toolbox requests will have their `Cookie` headers rewritten.
9d7e8a3 fixes the security concern by storing the Because of Chrome mv3 shenanigans, using local state here instead of |
Removing this bit of logic should probably also be part of this PR https://github.com/toolbox-team/reddit-moderator-toolbox/blob/master/extension/data/init.js#L145-L149 At least, I assume it also works with incognito windows. |
Just putting this here as a reference https://discord.com/channels/535490452066009090/535490452066009093/1105190131087982603 |
Fixes #98.
Works around Firefox's lack of support for
"incognito": "split"
by manually rewriting theCookie
header of outgoing requests to match the tab that initiated the request. This lets Toolbox work properly with Firefox private windows and containers.This is just a workaround for the request cookie behavior; notably, it doesn't split cache storage on the background page between cookie stores. Having different users logged in to different contexts will result in conflicting information being written back and forth in the cache. That will need more thought, and I think in an ideal world we would split the cache by logged-in user and allow multiple cookie stores with the same logged-in user to share the same cache, rather than naively splitting it based only on cookie store. There are probably other aspects of Toolbox that will need more thought for multi-user support, too.
This introduces two new permissions to the Firefox manifest only:
webRequest
andwebRequestBlocking
, which are required for the workaround.