Bug 1858143 - "has storage access" should only persist during navigat…

…ions that do not change the iframe's window origin - r=anti-tracking-reviewers,smaug,pbz

Minor correction from https://phabricator.services.mozilla.com/D184821.
The definition of "same-origin" used in that patch was that the iframe's origin after navigation is the same as the triggering principal.
This was incorrect.
Instead, the origin of the iframe before navigation should be the same as after navigation, which is the frame's document principal at the time this is called.

Also, I found places where I missed adding the new fields to the loadinfo: LocationBase and nsFrameLoader.
And I added the redirect tainting check and a missing nullcheck before calling SetTriggeringWindowId in nsDocShell.

Differential Revision: https://phabricator.services.mozilla.com/D190577

docshell/base/nsDocShell.cpp

@@ -10453,7 +10453,9 @@ nsresult nsDocShell::DoURILoad(nsDocShellLoadState* aLoadState,
     if (context->HasValidTransientUserGestureActivation()) {
       aLoadState->SetHasValidUserGestureActivation(true);
     }
-    aLoadState->SetTriggeringWindowId(context->Id());
+    if (!aLoadState->TriggeringWindowId()) {
+      aLoadState->SetTriggeringWindowId(context->Id());
+    }
     if (!aLoadState->TriggeringStorageAccess()) {
       Document* contextDoc = context->GetExtantDoc();
       if (contextDoc) {

dom/base/LocationBase.cpp

@@ -108,6 +108,9 @@ already_AddRefed<nsDocShellLoadState> LocationBase::CheckURL(
   loadState->SetHasValidUserGestureActivation(
       doc->HasValidTransientUserGestureActivation());
 
+  loadState->SetTriggeringWindowId(doc->InnerWindowID());
+  loadState->SetTriggeringStorageAccess(doc->UsingStorageAccess());
+
   return loadState.forget();
 }
 

dom/base/nsFrameLoader.cpp

@@ -714,6 +714,12 @@ nsresult nsFrameLoader::ReallyStartLoadingInternal() {
 
     loadState->SetFirstParty(false);
 
+    Document* ownerDoc = mOwnerContent->OwnerDoc();
+    if (ownerDoc) {
+      loadState->SetTriggeringStorageAccess(ownerDoc->UsingStorageAccess());
+      loadState->SetTriggeringWindowId(ownerDoc->InnerWindowID());
+    }
+
     // If we're loading the default about:blank document in a <browser> element,
     // prevent the load from causing a process switch by explicitly overriding
     // remote type selection.

toolkit/components/antitracking/AntiTrackingUtils.cpp

@@ -7,6 +7,7 @@
 #include "AntiTrackingUtils.h"
 
 #include "AntiTrackingLog.h"
+#include "HttpBaseChannel.h"
 #include "mozilla/BasePrincipal.h"
 #include "mozilla/Components.h"
 #include "mozilla/dom/BrowsingContext.h"
@@ -28,6 +29,7 @@
 #include "nsIURI.h"
 #include "nsNetUtil.h"
 #include "nsPIDOMWindow.h"
+#include "nsQueryObject.h"
 #include "nsRFPService.h"
 #include "nsSandboxFlags.h"
 #include "nsScriptSecurityManager.h"
@@ -546,31 +548,46 @@ AntiTrackingUtils::GetStoragePermissionStateInParent(nsIChannel* aChannel) {
     return nsILoadInfo::HasStoragePermission;
   }
 
+  WindowContext* wc = bc->GetCurrentWindowContext();
+  if (!wc) {
+    return nsILoadInfo::NoStoragePermission;
+  }
+  WindowGlobalParent* wgp = wc->Canonical();
+  if (!wgp) {
+    return nsILoadInfo::NoStoragePermission;
+  }
+  nsIPrincipal* framePrincipal = wgp->DocumentPrincipal();
+  if (!framePrincipal) {
+    return nsILoadInfo::NoStoragePermission;
+  }
+
   if (policyType == ExtContentPolicy::TYPE_SUBDOCUMENT) {
+    // For loads of framed documents, we only use storage access
+    // if the load is the result of a same-origin, self-initiated
+    // navigation of the frame.
     uint64_t targetWindowIdNoTop = bc->GetCurrentInnerWindowId();
     uint64_t triggeringWindowId;
-    loadInfo->GetTriggeringWindowId(&triggeringWindowId);
-    bool triggeringStorageAccess;
-    loadInfo->GetTriggeringStorageAccess(&triggeringStorageAccess);
-    if (targetWindowIdNoTop == triggeringWindowId && triggeringStorageAccess &&
-        trackingPrincipal->Equals(loadInfo->TriggeringPrincipal())) {
-      return nsILoadInfo::HasStoragePermission;
-    }
-  } else if (!bc->IsTop()) {
-    // For subframe resources, check if the document has storage access
-    // and that the resource being loaded is same-site to the page.
-    WindowContext* wc = bc->GetCurrentWindowContext();
-    if (!wc) {
+    rv = loadInfo->GetTriggeringWindowId(&triggeringWindowId);
+    if (NS_WARN_IF(NS_FAILED(rv))) {
       return nsILoadInfo::NoStoragePermission;
     }
-    WindowGlobalParent* wgp = wc->Canonical();
-    if (!wgp) {
+    bool triggeringWindowHasStorageAccess;
+    rv =
+        loadInfo->GetTriggeringStorageAccess(&triggeringWindowHasStorageAccess);
+    if (NS_WARN_IF(NS_FAILED(rv))) {
       return nsILoadInfo::NoStoragePermission;
     }
-    nsIPrincipal* framePrincipal = wgp->DocumentPrincipal();
-    if (!framePrincipal) {
-      return nsILoadInfo::NoStoragePermission;
+    RefPtr<net::HttpBaseChannel> httpChannel = do_QueryObject(aChannel);
+
+    if (targetWindowIdNoTop == triggeringWindowId &&
+        triggeringWindowHasStorageAccess &&
+        trackingPrincipal->Equals(framePrincipal) && httpChannel &&
+        !httpChannel->HasRedirectTaintedOrigin()) {
+      return nsILoadInfo::HasStoragePermission;
     }
+  } else if (!bc->IsTop()) {
+    // For subframe resources, check if the document has storage access
+    // and that the resource being loaded is same-site to the page.
     bool isThirdParty = true;
     nsresult rv = framePrincipal->IsThirdPartyURI(trackingURI, &isThirdParty);
     if (NS_SUCCEEDED(rv) && wc->GetUsingStorageAccess() && !isThirdParty) {