Make it possible to assign contextualIdentity's to the review tools doing page scraping

[hcs64]

As a paranoia/defense-in-depth measure, I have my Bugzilla and Phabricator accounts logged in only in an account container. Since Phabricator support moved to scraping a logged in page, it isn't working for me, I suspect due to it only being able to access an uncontained Phabricator login (as it works when I log in outside of a container).

Just a note for the backlog...

[mikeconley]

Interesting - I hadn't considered that case. It looks like there's a contextualIdentities API which can resolve to a cookie store, so perhaps we can add an option for a user to assign a contextualIdentity for each review tool.

[mozfreddyb]

Maybe the extension could take it one further and figure out which containers are assigned to those sites and use that identity for scraping?

[hcs64]

I got partway into implementing this, but ran into trouble when actually trying to use the cookies (since I can't read the HttpOnly values, nor set cookies programmatically). It should be possible to create a tab with the cookieStoreId and do the fetch() from a content script running there, but it seems like it would be a bit irritating to have the tab pop up. I might use a hidden tab but it sounds like there's UI around prompting the user to hide the tab.

The following works at least for detecting the cookie (must include the contextualIdentities permission):

const MULTI_ACCOUNT_CONTAINERS_EXTENSION_ID = "@testpilot-containers";

  async getCookieFromContainer(url, cookieName) {
    let assignment = await browser.runtime.sendMessage(
      MULTI_ACCOUNT_CONTAINERS_EXTENSION_ID,
      {
        url,
        method: "getAssignment",
      },
      {},
    );

    if (assignment && "userContextId" in assignment) {
      let cookieStoreId = "firefox-container-" + String(assignment.userContextId);
      return await browser.cookies.get({
        url,
        name: cookieName,
        storeId: cookieStoreId,
      });
    }
    return null;
  },

[hcs64]

Well, here's one terrible way to do it, adding a temporary web request rewriter to set the cookies: agashlin@a48db7f

Though this neatly bypasses all the other stuff containers provide.

[mikeconley]

I think I'll need this bug fixed in Gecko if we're going to do this properly.

[mikeconley]

Looks like the Gecko dependency is being fixed. I'll come back around to this when I get a few few hours.

[mikeconley]

I looked at this today, and it turns out that this bug wasn't enough. :( That bug allows WebExtensions to intercept network requests and get information about the contextual identity that they're using... but as far as I can tell, there's no way to initiate a network request with a particular contextual identity without actually opening a tab / window to do it.

I'm basically hitting the same issue that @hcs64 ran into.