search

mozilla / multi-account-containers

Firefox Multi-Account Containers lets you keep parts of your online life separated into color-coded tabs that preserve your privacy. Cookies are separated by container, allowing you to use the web with multiple identities or accounts simultaneously.
https://addons.mozilla.org/firefox/addon/multi-account-containers/
Mozilla Public License 2.0
2.64k stars 322 forks source link

`window.postMessage()` doesn't work across containers #2566

Open youk opened 10 months ago

youk commented 10 months ago

Before submitting a bug report

Step to reproduce

window.postMessage() doesn't seem to work across tabs opened in different containers. A simple sequence like

const targetWindow = window.open('target.html')
setTimeout(() => {
    targetWindow.postMessage('test', '*')
}, 1000)

doesn't deliver the message to the listener in target.html.

Is this intended behavior? postMessage() is supposed to work across different origins by design. It is up to the receiving end whether to handle a message form a particular sender or ignore it.

Actual behavior

Messages sent via postMessage() to a tab opened in different container aren't received.

Expected behavior

postMessage() works across containers.

Additional informations

No response

Provide a copy of Troubleshooting Information page (optional)

No response

ngdangtu-vn commented 9 months ago

Shouldn't this be a feature for security?

youk commented 9 months ago

Where exactly is the security part? postMessage() won't work OOTB, it requires explicit configuration on the receiving end.

ngdangtu-vn commented 9 months ago

Isn't the point of Container is isolate the tab from the rest? If the postMessage() function can send data to other tabs in different containers then the Container is failed in isolating right? It can send data meant it can send cookie as well (get cookie turn to a simple string and send through postMessage()). All the site can use this trick to pass by Container and tracking user.

If postMessage() is allowed, Container becomes useless immediately. I disagree that this is a bug.

BrtnikFM commented 7 months ago

After storage partitioning there is no way to communicate between tabs. I considering it as critical bug, because there is no way how to allow it by directive or some other way. It's removing feature change.

groovecoder commented 7 months ago

Does this only happen when the Multi-Account Containers extension is installed? Or does it happen in any Firefox browser profile with containers enabled?

If it's a Firefox bug (not just this extension), please check bugzilla to see if the bug is already captured there. File a new one if it's not there.