Origin Attributes

Tanvi Vyas

​

​

Firefox extended Same Origin Policy by Origin Attributes

Origin Before:(scheme, host, port)�Origin Now: (scheme, host, port, originAttributes)

struct OriginAttributes {� uint32_t usercontextId; //Firefox Containers� nsString FirstPartyDomain; //First Party Isolation� uint32_t mPrivateBrowsingId; //Private Mode� // nsString subOrigin;� // boolean isolate-me;� // uint32_t nextSecPrivPreservingIdea;�}

Same Origin Policy Enforcements:�(https, example.com, 443, {userContextId=1}) != (https, example.com, 443, {userContextId=2})

Some Origin Examples

• https://regular.com in a regular tab�(https, regular.com, 443,� {userContextId=0; mPrivateBrowsingId=0; FirstPartyDomain=’’} )
• https://shopping.com in the Shopping Container�(https, shopping.com, 443, � {userContextId=4; mPrivateBrowsingId=0; FirstPartyDomain=’’} )
• https://embedder.com has an iframe to https://embedded.com with First Party Isolation On�(https, embedded.com, 443, � {userContextId=0; mPrivateBrowsingId=0; FirstPartyDomain=’embedder.com’} )
• https://secret.com in a Private Window with First Party Isolation On�(https, secret.com, 443,� {userContextId=0; mPrivateBrowsingId=1; FirstPartyDomain=’secret.com’} )

What is separated by Origin Attributes?

Almost everything that requires a Same Origin Policy check, including:

• Cookies
• Cache
• LocalStorage
• IndexedDB
• HTTP Auth
• DOM Access
• TLS Connections
• Service Workers
• Broadcast Channels
• User Certificates

What is not separated by Origin Attributes (yet?)

• Certificate Overrides
• Permissions
• Locally stored data not readily available to the web:
• History
• Bookmarks
• Saved Search and Form Data
• Saved Passwords

Depends on the Origin Attribute:

• HSTS and HPKP
• OCSP Responses