Bug 1988751 - Forbid notification permission in nested first party iframes r=asuth

saschanaz · saschanaz · commit d42b499951c3 · 2025-09-24T13:20:27.000Z
Differential Revision: https://phabricator.services.mozilla.com/D265282
diff --git a/dom/notification/NotificationUtils.cpp b/dom/notification/NotificationUtils.cpp
@@ -97,7 +97,8 @@ bool IsNotificationForbiddenFor(nsIPrincipal* aPrincipal,
   if (outForeignByAncestorContext) {
     // nested first party
     ReportTelemetry(GleanLabel::eNestedFirstParty, aPurpose);
-    return false;
+    return StaticPrefs::
+        dom_webnotifications_forbid_nested_first_party_enabled();
   }
 
   // third party
diff --git a/modules/libpref/init/StaticPrefList.yaml b/modules/libpref/init/StaticPrefList.yaml
@@ -5646,6 +5646,11 @@
   value: false
   mirror: always
 
+- name: dom.webnotifications.forbid_nested_first_party.enabled
+  type: RelaxedAtomicBool
+  value: true
+  mirror: always
+
 - name: dom.webnotifications.enabled
   type: RelaxedAtomicBool
   value: true
diff --git a/testing/web-platform/tests/notifications/cross-origin-nested.tentative.https.sub.html b/testing/web-platform/tests/notifications/cross-origin-nested.tentative.https.sub.html
@@ -56,11 +56,11 @@
 
 promise_test(async t => {
   const result = await promises.get("child");
-  assert_equals(result.permission, "granted", `should grant the permission`);
-  assert_true(result.shown, `notification should be shown`);
+  assert_equals(result.permission, "denied", `should deny the permission`);
+  assert_false(result.shown, `notification should not be shown`);
 
   const childRequestResult = await promises.get("childRequest");
-  assert_equals(childRequestResult.permission, "granted", "should accept the permission request");
+  assert_equals(childRequestResult.permission, "denied", "should deny the permission request");
 }, "nested first party iframe");
 
 promise_test(async t => {
@@ -71,7 +71,7 @@
 
 promise_test(async t => {
   const result = await promises.get("childWorker");
-  assert_equals(result.permission, "granted", `should grant the permission`);
-  assert_true(result.shown, `notification should be shown`);
+  assert_equals(result.permission, "denied", `should deny the permission`);
+  assert_false(result.shown, `notification should not be shown`);
 }, "nested first party worker");
 </script>

Original file line number	Diff line number	Diff line change
`@@ -97,7 +97,8 @@ bool IsNotificationForbiddenFor(nsIPrincipal* aPrincipal,`
`97`	`97`	`if (outForeignByAncestorContext) {`
`98`	`98`	`// nested first party`
`99`	`99`	`ReportTelemetry(GleanLabel::eNestedFirstParty, aPurpose);`
`100`		`- return false;`
	`100`	`+ return StaticPrefs::`
	`101`	`+ dom_webnotifications_forbid_nested_first_party_enabled();`
`101`	`102`	`}`
`102`	`103`
`103`	`104`	`// third party`