-
Notifications
You must be signed in to change notification settings - Fork 71
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Passbolt is not compatible with Firefox Multi-Account Containers #41
Comments
Hi @GotenXiao, I'm not familiar with this other extension, can you provide more details about what you mean by: "Passbolt is not correctly contained into a container tab.". Is it the same as the issue described here: #35 Thanks, |
No, I don't think that issue is related. The container tab extension is part of the Mozilla Contextual Identity Product that aims to be able to separate different browsing contexts into individual security sandboxes (e.g. work, personal, dodgy-site-A) so that tabs opened in each container cannot access resources from other containers. |
@GotenXiao yes I checked the page you linked. I'm just not understanding what you expect to happen with the sentence: "Passbolt is not correctly contained into a container tab." Passbolt is an extension, not just a webpage, therefore all the buisiness logic such as data storage (e.g. the keyring and user config), the critical operations (encryption, etc.) leaves in a "background page" not the page on the tab itself. See. https://developer.chrome.com/extensions/background_pages or https://developer.mozilla.org/en-US/Add-ons/WebExtensions/Anatomy_of_a_WebExtension |
@GotenXiao I think what you expect is that there should be one passbolt storage and config running for each of the environment as defined per the information contained in another extension. I'm not saying this can't be done but this not part of the default architecture for web extension. |
Hello there, I configured my Passbolt account inside a container A. When I try to login to my account inside this container, it always redirects on the login page as if there was no login attempt. When I re-open the site in "No-container" mode the login works. |
When we login on the passbolt web page, we expect that the "authorization" cookies or whatever mechanism is used to keep the session open is accessible in the current container (and only this one), so use the current tab cookie store. It seems that the authentication is shared by both the web page and the plugin, so it affects the plugin too. I guess the plugin has to be aware of "contextualIdentities" to switch to the right cookie store depending on the tab. But then we would have to login on each container we need a password from passbolt. It may not be an issue. And it had the possibility to use different passbolt accounts for different contexts. |
Hello @dr4Ke, The cookie management is actually handled by the browser itself, as a typical request from the extension looks like this:
I'm unsure how/if there is way to alter that behavior without changing the session mechanism (e.g. to avoid using cookies). |
I just started using containers a month ago...they are really great. Today I noticed as @Kdecherf was sharing, that I could not login to the web page of my Passbolt server, while in a container tab. However, the extension logged in okay, and I was able to use it. Whenever I opened a new link from the extension it opened in a non-container tab, as expected. So, it's only a half deal breaker. The web side appears to be isolated from the extension. If the plugin could pass to the web something regarding which container it's in, that might give the web the right cookies to look for. This part from https://wiki.mozilla.org/Security/Contextual_Identity_Project/Containers:
|
is it possible for the extension to find out the container ID? Prepending cookies with the container ID / name or other identifier would work for this case without too much effort on developers' side. Update: Yes, it is possible to work with it once the extensions requests the appropriate permission: There is also an info on using specific identity cookie store ID. This will resolve the issues.
|
Any update on the proposed solution? |
I've created a task in our ticketing system to check this. Since this is a firefox only problem, it is on the slow track sorry. |
Hi @nekromoff, After further investigation, it seems that Firefox has shared the local storage of the browser extension with all containers and this problem is more complex to solve. Thanks |
I understand, but if the container ID is obtained and used to identify any
stored data (in the name), this provides required separation.
…On Mon, Jan 9, 2023 at 11:50 AM Benj1er ***@***.***> wrote:
Hi @nekromoff <https://github.com/nekromoff>,
I checked the solution you proposed, but this change did not solve all the
problems.
After further investigation, it seems that Firefox has shared the local
storage of the browser extension with all containers and this problem is
more complex to solve.
Thanks
—
Reply to this email directly, view it on GitHub
<#41 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ACBHPTKYBDWEJAJ72FADSVDWRPUORANCNFSM4EUA56SA>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Hello, If it is not possible to have a proper solution, it could be nice to tell the user to switch to the "main" container or display a warning (or something similar). |
@Benj1er Can you share what you did - is there a new branch for this? Manifest Permissions are currently not including either of the needed items: "permissions": [ |
@garrettboone there is no branch, Benjamin just did a quick test locally. We wanted to check if it was a quick win, but It would require further work on storage layer. We'll keep this in mind for the work we're doing on manifest v3. Currently firefox user base is not big enough for us to prioritise this item before the team gets bigger. |
Any update on this? a year and a half after the last update. One of the main reasons for using Passbolt is for privacy reasons (European company, GPDR compliant etc), most people use Firefox for privacy reasons too. The multi-account container extension is official and supported by Mozilla so it's supposed to be "popular" among the users. Thanks in advance!! |
Passbolt is not compatible with Firefox Multi-Account Containers
passbolt/passbolt
Docker image into a Rancher cluster - SSL termination on an haproxy load balancer for cluster ingress trafficWhat you did
When attempting to access a self-hosted Passbolt instance from within a tab container as part of Firefox Multi-Account Containers, authentication succeeds but is not held within the container. By opening a new tab that is not part of any container, the Passbolt interface appears as normal.
What happened
Passbolt is not correctly contained into a container tab.
What you expected to happen
Passbolt is correctly held within a container tab, potentially allowing the use of simultaneous use of different instances that are separated by the tab container context (e.g. work, personal), and preventing the leak of any credentials outside that container (helping to prevent potential theft of credentials from a rogue site).
The text was updated successfully, but these errors were encountered: