Backed out 4 changesets (bug 1603969) for failing at /browser_startup_mainthreadio.js on a CLOSED TREE.

Backed out changeset c4d79087eef1 (bug 1603969) Backed out changeset 2c0198f3506c (bug 1603969) Backed out changeset c5ad252c525b (bug 1603969) Backed out changeset a334451b95eb (bug 1603969)
2019-12-19 02:08:09 +02:00 · 2019-12-19 02:08:09 +02:00 · bed8b9f116
--- a/browser/base/content/browser-siteProtections.js
+++ b/browser/base/content/browser-siteProtections.js
@ -779,7 +779,10 @@ var ThirdPartyCookies = {
    for (let perm of Services.perms.getAllForPrincipal(
      gBrowser.contentPrincipal
    )) {
-      if (perm.type == "3rdPartyStorage^" + origin) {
+      if (
+        perm.type == "3rdPartyStorage^" + origin ||
+        perm.type.startsWith("3rdPartyStorage^" + origin + "^")
+      ) {
        return perm.capability;
      }
    }
@ -796,7 +799,10 @@ var ThirdPartyCookies = {
    for (let perm of Services.perms.getAllForPrincipal(
      gBrowser.contentPrincipal
    )) {
-      if (perm.type == "3rdPartyStorage^" + origin) {
+      if (
+        perm.type == "3rdPartyStorage^" + origin ||
+        perm.type.startsWith("3rdPartyStorage^" + origin + "^")
+      ) {
        Services.perms.removePermission(perm);
      }
    }
--- a/browser/base/content/test/performance/browser_startup_mainthreadio.js
+++ b/browser/base/content/test/performance/browser_startup_mainthreadio.js
@ -267,7 +267,7 @@ const startupPhases = {
      condition: WIN || MAC,
      fsync: 7,
      stat: 26,
-      write: 40,
+      write: 38,
    },
    {
      // bug 975996
--- a/browser/base/content/test/siteProtections/browser.ini
+++ b/browser/base/content/test/siteProtections/browser.ini
@ -1,7 +1,6 @@
 [DEFAULT]
 support-files =
  head.js
-  !/browser/base/content/test/trackingUI/trackingPage.html

 [browser_protections_UI.js]
 fail-if = fission # Bug 1590696
--- a/browser/base/content/test/trackingUI/cookieServer.sjs
+++ b/browser/base/content/test/trackingUI/cookieServer.sjs
@ -2,19 +2,8 @@
 * http://creativecommons.org/publicdomain/zero/1.0/
 */

-// A 1x1 PNG image.
-// Source: https://commons.wikimedia.org/wiki/File:1x1.png (Public Domain)
-const IMAGE = atob("iVBORw0KGgoAAAANSUhEUgAAAAEAAAABAQMAAAAl21bKAAAAA1BMVEUAA" +
-                   "ACnej3aAAAAAXRSTlMAQObYZgAAAApJREFUCNdjYAAAAAIAAeIhvDMAAAAASUVORK5CYII=");
-
 function handleRequest(request, response) {
  response.setStatusLine(request.httpVersion, 200);
-  if (request.queryString &&
-      request.queryString.includes("type=image-no-cookie")) {
-    response.setHeader("Content-Type", "image/png", false);
-    response.write(IMAGE);
-  } else {
-    response.setHeader("Set-Cookie", "foopy=1");
-    response.write("cookie served");
-  }
+  response.setHeader("Set-Cookie", "foopy=1");
+  response.write("cookie served");
 }
--- a/browser/base/content/test/trackingUI/trackingAPI.js
+++ b/browser/base/content/test/trackingUI/trackingAPI.js
@ -4,15 +4,6 @@ function createIframe(src) {
  document.body.appendChild(ifr);
 }

-function createImage(src) {
-  let img = document.createElement("img");
-  img.src = src;
-  img.onload = () => {
-    parent.postMessage("done", "*");
-  };
-  document.body.appendChild(img);
-}
-
 onmessage = event => {
  switch (event.data) {
    case "tracking":
@ -50,11 +41,6 @@ onmessage = event => {
        "https://test1.example.org/browser/browser/base/content/test/trackingUI/cookieServer.sjs"
      );
      break;
-    case "image":
-      createImage(
-        "http://trackertest.org/browser/browser/base/content/test/trackingUI/cookieServer.sjs?type=image-no-cookie"
-      );
-      break;
    case "window-open":
      window.win = window.open(
        "http://trackertest.org/browser/browser/base/content/test/trackingUI/cookieServer.sjs",
--- a/dom/ipc/ContentParent.cpp
+++ b/dom/ipc/ContentParent.cpp
@ -5787,11 +5787,13 @@ mozilla::ipc::IPCResult ContentParent::RecvAutomaticStorageAccessCanBeGranted(
 mozilla::ipc::IPCResult
 ContentParent::RecvFirstPartyStorageAccessGrantedForOrigin(
    const Principal& aParentPrincipal, const Principal& aTrackingPrincipal,
-    const nsCString& aTrackingOrigin, const int& aAllowMode,
+    const nsCString& aTrackingOrigin, const nsCString& aGrantedOrigin,
+    const int& aAllowMode,
    FirstPartyStorageAccessGrantedForOriginResolver&& aResolver) {
  AntiTrackingCommon::
      SaveFirstPartyStorageAccessGrantedForOriginOnParentProcess(
-          aParentPrincipal, aTrackingPrincipal, aTrackingOrigin, aAllowMode)
+          aParentPrincipal, aTrackingPrincipal, aTrackingOrigin, aGrantedOrigin,
+          aAllowMode)
          ->Then(GetCurrentThreadSerialEventTarget(), __func__,
                 [aResolver = std::move(aResolver)](
                     AntiTrackingCommon::FirstPartyStorageAccessGrantPromise::
--- a/dom/ipc/ContentParent.h
+++ b/dom/ipc/ContentParent.h
@ -1198,7 +1198,8 @@ class ContentParent final

  mozilla::ipc::IPCResult RecvFirstPartyStorageAccessGrantedForOrigin(
      const Principal& aParentPrincipal, const Principal& aTrackingPrincipal,
-      const nsCString& aTrackingOrigin, const int& aAllowMode,
+      const nsCString& aTrackingOrigin, const nsCString& aGrantedOrigin,
+      const int& aAllowMode,
      FirstPartyStorageAccessGrantedForOriginResolver&& aResolver);

  mozilla::ipc::IPCResult RecvStoreUserInteractionAsPermission(
--- a/dom/ipc/PContent.ipdl
+++ b/dom/ipc/PContent.ipdl
@ -1490,6 +1490,7 @@ parent:
    async FirstPartyStorageAccessGrantedForOrigin(Principal aParentPrincipal,
                                                  Principal aTrackingPrincipal,
                                                  nsCString aTrackingOrigin,
+                                                  nsCString aGrantedOrigin,
                                                  int aAllowMode)
          returns (bool unused);

--- a/extensions/permissions/nsPermissionManager.cpp
+++ b/extensions/permissions/nsPermissionManager.cpp
@ -882,7 +882,7 @@ void nsPermissionManager::Startup() {
 // nsPermissionManager Implementation

 #define PERMISSIONS_FILE_NAME "permissions.sqlite"
-#define HOSTS_SCHEMA_VERSION 11
+#define HOSTS_SCHEMA_VERSION 10

 // Default permissions are read from a URL - this is the preference we read
 // to find that URL. If not set, don't use any default permissions.
@ -1539,25 +1539,6 @@ nsresult nsPermissionManager::InitDB(bool aRemoveFile) {
        MOZ_FALLTHROUGH;

      case 9: {
-        rv = mDBConn->SetSchemaVersion(10);
-        NS_ENSURE_SUCCESS(rv, rv);
-      }
-
-        // fall through to the next upgrade
-        MOZ_FALLTHROUGH;
-
-      case 10: {
-        // Filter out the rows with storage access API permissions with a
-        // granted origin, and remove the granted origin part from the
-        // permission type.
-        rv = mDBConn->ExecuteSimpleSQL(NS_LITERAL_CSTRING(
-            "UPDATE moz_perms "
-            "SET type=SUBSTR(type, 0, INSTR(SUBSTR(type, INSTR(type, '^') + "
-            "1), '^') + INSTR(type, '^')) "
-            "WHERE INSTR(SUBSTR(type, INSTR(type, '^') + 1), '^') AND "
-            "SUBSTR(type, 0, 18) == \"storageAccessAPI^\";"));
-        NS_ENSURE_SUCCESS(rv, rv);
-
        rv = mDBConn->SetSchemaVersion(HOSTS_SCHEMA_VERSION);
        NS_ENSURE_SUCCESS(rv, rv);
      }
--- a/extensions/permissions/test/unit/test_permmanager_load_invalid_entries.js
+++ b/extensions/permissions/test/unit/test_permmanager_load_invalid_entries.js
@ -223,9 +223,9 @@ function run_test() {
  // Initialize the permission manager service
  var pm = Services.perms;

-  // The schema should be upgraded to 11, and a 'modificationTime' column should
+  // The schema should be upgraded to 10, and a 'modificationTime' column should
  // exist with all records having a value of 0.
-  Assert.equal(connection.schemaVersion, 11);
+  Assert.equal(connection.schemaVersion, 10);

  let select = connection.createStatement(
    "SELECT modificationTime FROM moz_perms"
--- a/extensions/permissions/test/unit/test_permmanager_migrate_10-11.js
+++ b/extensions/permissions/test/unit/test_permmanager_migrate_10-11.js
@ -1,193 +0,0 @@
-/* Any copyright is dedicated to the Public Domain.
-   http://creativecommons.org/publicdomain/zero/1.0/ */
-
-ChromeUtils.defineModuleGetter(
-  this,
-  "PlacesTestUtils",
-  "resource://testing-common/PlacesTestUtils.jsm"
-);
-
-var PERMISSIONS_FILE_NAME = "permissions.sqlite";
-
-function GetPermissionsFile(profile) {
-  let file = profile.clone();
-  file.append(PERMISSIONS_FILE_NAME);
-  return file;
-}
-
-add_task(async function test() {
-  /* Create and set up the permissions database */
-  let profile = do_get_profile();
-  Services.prefs.setCharPref("permissions.manager.defaultsUrl", "");
-
-  let db = Services.storage.openDatabase(GetPermissionsFile(profile));
-  db.schemaVersion = 10;
-
-  let stmt6Insert = db.createStatement(
-    "INSERT INTO moz_perms (" +
-      "id, origin, type, permission, expireType, expireTime, modificationTime" +
-      ") VALUES (" +
-      ":id, :origin, :type, :permission, :expireType, :expireTime, :modificationTime" +
-      ")"
-  );
-
-  let id = 0;
-
-  function insertOrigin(
-    origin,
-    type,
-    permission,
-    expireType,
-    expireTime,
-    modificationTime
-  ) {
-    let thisId = id++;
-
-    stmt6Insert.bindByName("id", thisId);
-    stmt6Insert.bindByName("origin", origin);
-    stmt6Insert.bindByName("type", type);
-    stmt6Insert.bindByName("permission", permission);
-    stmt6Insert.bindByName("expireType", expireType);
-    stmt6Insert.bindByName("expireTime", expireTime);
-    stmt6Insert.bindByName("modificationTime", modificationTime);
-
-    try {
-      stmt6Insert.execute();
-    } finally {
-      stmt6Insert.reset();
-    }
-
-    return {
-      id: thisId,
-      origin,
-      type,
-      permission,
-      expireType,
-      expireTime,
-      modificationTime,
-    };
-  }
-
-  insertOrigin(
-    "https://foo.com",
-    "storageAccessAPI^https://foo.com",
-    2,
-    0,
-    0,
-    0
-  );
-  insertOrigin(
-    "http://foo.com",
-    "storageAccessAPI^https://bar.com^https://foo.com",
-    2,
-    0,
-    0,
-    0
-  );
-  insertOrigin(
-    "http://foo.com",
-    "storageAccessAPI^https://bar.com^https://baz.com",
-    2,
-    0,
-    0,
-    0
-  );
-  insertOrigin("http://foo.com^inBrowser=1", "A", 2, 0, 0, 0);
-
-  // CLose the db connection
-  stmt6Insert.finalize();
-  db.close();
-  db = null;
-
-  let expected = [
-    ["https://foo.com", "storageAccessAPI^https://foo.com", 2, 0, 0, 0],
-    ["http://foo.com", "storageAccessAPI^https://bar.com", 2, 0, 0, 0],
-    ["http://foo.com", "storageAccessAPI^https://bar.com", 2, 0, 0, 0],
-    ["http://foo.com^inBrowser=1", "A", 2, 0, 0, 0],
-  ];
-
-  let found = expected.map(it => 0);
-
-  // Add some places to the places database
-  await PlacesTestUtils.addVisits(
-    Services.io.newURI("https://foo.com/some/other/subdirectory")
-  );
-  await PlacesTestUtils.addVisits(
-    Services.io.newURI("ftp://some.subdomain.of.foo.com:8000/some/subdirectory")
-  );
-  await PlacesTestUtils.addVisits(Services.io.newURI("ftp://127.0.0.1:8080"));
-  await PlacesTestUtils.addVisits(Services.io.newURI("https://localhost:8080"));
-
-  // This will force the permission-manager to reload the data.
-  Services.obs.notifyObservers(null, "testonly-reload-permissions-from-disk");
-
-  // Force initialization of the nsPermissionManager
-  for (let permission of Services.perms.all) {
-    let isExpected = false;
-
-    expected.forEach((it, i) => {
-      if (
-        permission.principal.origin == it[0] &&
-        permission.type == it[1] &&
-        permission.capability == it[2] &&
-        permission.expireType == it[3] &&
-        permission.expireTime == it[4]
-      ) {
-        isExpected = true;
-        found[i]++;
-      }
-    });
-
-    Assert.ok(
-      isExpected,
-      "Permission " +
-        (isExpected ? "should" : "shouldn't") +
-        " be in permission database: " +
-        permission.principal.origin +
-        ", " +
-        permission.type +
-        ", " +
-        permission.capability +
-        ", " +
-        permission.expireType +
-        ", " +
-        permission.expireTime
-    );
-  }
-
-  found.forEach((count, i) => {
-    Assert.ok(
-      count == 1,
-      "Expected count = 1, got count = " +
-        count +
-        " for permission " +
-        expected[i]
-    );
-  });
-
-  // Check to make sure that all of the tables which we care about are present
-  {
-    db = Services.storage.openDatabase(GetPermissionsFile(profile));
-    Assert.ok(db.tableExists("moz_perms"));
-    Assert.ok(db.tableExists("moz_hosts"));
-    Assert.ok(!db.tableExists("moz_perms_v6"));
-
-    let mozHostsCount = db.createStatement("SELECT count(*) FROM moz_hosts");
-    try {
-      mozHostsCount.executeStep();
-      Assert.equal(mozHostsCount.getInt64(0), 0);
-    } finally {
-      mozHostsCount.finalize();
-    }
-
-    let mozPermsCount = db.createStatement("SELECT count(*) FROM moz_perms");
-    try {
-      mozPermsCount.executeStep();
-      Assert.equal(mozPermsCount.getInt64(0), expected.length);
-    } finally {
-      mozPermsCount.finalize();
-    }
-
-    db.close();
-  }
-});
--- a/extensions/permissions/test/unit/xpcshell.ini
+++ b/extensions/permissions/test/unit/xpcshell.ini
@ -30,5 +30,4 @@ skip-if = debug == true
 [test_permmanager_migrate_4-7_no_history.js]
 [test_permmanager_migrate_7-8.js]
 [test_permmanager_migrate_9-10.js]
-[test_permmanager_migrate_10-11.js]
 [test_permmanager_oa_strip.js]
--- a/netwerk/locales/en-US/necko.properties
+++ b/netwerk/locales/en-US/necko.properties
@ -44,7 +44,11 @@ CookieBlockedTracker=Request to access cookie or storage on “%1$S” was block
 CookieBlockedAll=Request to access cookie or storage on “%1$S” was blocked because we are blocking all storage access requests.
 CookieBlockedForeign=Request to access cookie or storage on “%1$S” was blocked because we are blocking all third-party storage access requests and content blocking is enabled.

+# LOCALIZATION NOTE (CookieAllowedForOriginOnTrackerByStorageAccessAPI): %3$S, %2$S and %1$S are URLs.
+CookieAllowedForOriginOnTrackerByStorageAccessAPI=Storage access granted for “%3$S” opened by tracker “%2$S” on “%1$S”.
 # LOCALIZATION NOTE (CookieAllowedForTrackerByStorageAccessAPI): %2$S and %1$S are URLs.
 CookieAllowedForTrackerByStorageAccessAPI=Storage access granted for tracker “%2$S” on “%1$S”.
+# LOCALIZATION NOTE (CookieAllowedForOriginOnTrackerByHeuristic): %3$S, %2$S and %1$S are URLs.
+CookieAllowedForOriginOnTrackerByHeuristic=Storage access automatically granted for “%3$S” opened by tracker “%2$S” on “%1$S”.
 # LOCALIZATION NOTE (CookieAllowedForTrackerByHeuristic): %2$S and %1$S are URLs.
 CookieAllowedForTrackerByHeuristic=Storage access automatically granted for tracker “%2$S” on “%1$S”.
--- a/toolkit/components/antitracking/AntiTrackingCommon.cpp
+++ b/toolkit/components/antitracking/AntiTrackingCommon.cpp
@ -128,6 +128,27 @@ void CreatePermissionKey(const nsCString& aTrackingOrigin,
  aPermissionKey.Append(aTrackingOrigin);
 }

+void CreatePermissionKey(const nsCString& aTrackingOrigin,
+                         const nsCString& aGrantedOrigin,
+                         nsACString& aPermissionKey) {
+  MOZ_ASSERT(aPermissionKey.IsEmpty());
+
+  if (aTrackingOrigin == aGrantedOrigin) {
+    CreatePermissionKey(aTrackingOrigin, aPermissionKey);
+    return;
+  }
+
+  static const nsLiteralCString prefix =
+      NS_LITERAL_CSTRING(ANTITRACKING_PERM_KEY "^");
+
+  aPermissionKey.SetCapacity(prefix.Length() + 1 + aTrackingOrigin.Length() +
+                             aGrantedOrigin.Length());
+  aPermissionKey.Append(prefix);
+  aPermissionKey.Append(aTrackingOrigin);
+  aPermissionKey.AppendLiteral("^");
+  aPermissionKey.Append(aGrantedOrigin);
+}
+
 // This internal method returns ACCESS_DENY if the access is denied,
 // ACCESS_DEFAULT if unknown, some other access code if granted.
 uint32_t CheckCookiePermissionForPrincipal(nsICookieSettings* aCookieSettings,
@ -443,6 +464,7 @@ void ReportBlockingToConsole(nsPIDOMWindowOuter* aWindow, nsIURI* aURI,

 void ReportUnblockingToConsole(
    nsPIDOMWindowInner* aWindow, const nsAString& aTrackingOrigin,
+    const nsAString& aGrantedOrigin,
    AntiTrackingCommon::StorageAccessGrantedReason aReason) {
  nsCOMPtr<nsIPrincipal> principal =
      nsGlobalWindowInner::Cast(aWindow)->GetPrincipal();
@ -456,6 +478,7 @@ void ReportUnblockingToConsole(
  }

  nsAutoString trackingOrigin(aTrackingOrigin);
+  nsAutoString grantedOrigin(aGrantedOrigin);

  nsAutoString sourceLine;
  uint32_t lineNumber = 0, columnNumber = 0;
@ -466,8 +489,8 @@ void ReportUnblockingToConsole(

  RefPtr<Runnable> runnable = NS_NewRunnableFunction(
      "ReportUnblockingToConsoleDelayed",
-      [doc, principal, trackingOrigin, sourceLine, lineNumber, columnNumber,
-       aReason]() {
+      [doc, principal, trackingOrigin, grantedOrigin, sourceLine, lineNumber,
+       columnNumber, aReason]() {
        nsAutoString origin;
        nsresult rv = nsContentUtils::GetUTFOrigin(principal, origin);
        if (NS_WARN_IF(NS_FAILED(rv))) {
@ -476,24 +499,39 @@ void ReportUnblockingToConsole(

        // Not adding grantedOrigin yet because we may not want it later.
        AutoTArray<nsString, 3> params = {origin, trackingOrigin};
+        const char* messageWithDifferentOrigin = nullptr;
        const char* messageWithSameOrigin = nullptr;

        switch (aReason) {
          case AntiTrackingCommon::eStorageAccessAPI:
+            messageWithDifferentOrigin =
+                "CookieAllowedForOriginOnTrackerByStorageAccessAPI";
            messageWithSameOrigin = "CookieAllowedForTrackerByStorageAccessAPI";
            break;

          case AntiTrackingCommon::eOpenerAfterUserInteraction:
            MOZ_FALLTHROUGH;
          case AntiTrackingCommon::eOpener:
+            messageWithDifferentOrigin =
+                "CookieAllowedForOriginOnTrackerByHeuristic";
            messageWithSameOrigin = "CookieAllowedForTrackerByHeuristic";
            break;
        }

-        nsContentUtils::ReportToConsole(
-            nsIScriptError::warningFlag, NS_LITERAL_CSTRING("Content Blocking"),
-            doc, nsContentUtils::eNECKO_PROPERTIES, messageWithSameOrigin,
-            params, nullptr, sourceLine, lineNumber, columnNumber);
+        if (trackingOrigin == grantedOrigin) {
+          nsContentUtils::ReportToConsole(
+              nsIScriptError::warningFlag,
+              NS_LITERAL_CSTRING("Content Blocking"), doc,
+              nsContentUtils::eNECKO_PROPERTIES, messageWithSameOrigin, params,
+              nullptr, sourceLine, lineNumber, columnNumber);
+        } else {
+          params.AppendElement(grantedOrigin);
+          nsContentUtils::ReportToConsole(
+              nsIScriptError::warningFlag,
+              NS_LITERAL_CSTRING("Content Blocking"), doc,
+              nsContentUtils::eNECKO_PROPERTIES, messageWithDifferentOrigin,
+              params, nullptr, sourceLine, lineNumber, columnNumber);
+        }
      });

  RunConsoleReportingRunnable(runnable.forget());
@ -905,13 +943,16 @@ AntiTrackingCommon::AddFirstPartyStorageAccessGrantedFor(
    return StorageAccessGrantPromise::CreateAndReject(false, __func__);
  }

-  if (MOZ_LOG_TEST(gAntiTrackingLog, mozilla::LogLevel::Debug)) {
-    nsAutoCString origin;
-    Unused << nsContentUtils::GetASCIIOrigin(uri, origin);
-    LOG(("Adding a first-party storage exception for %s...",
-         PromiseFlatCString(origin).get()));
+  nsAutoCString origin;
+  nsresult rv = nsContentUtils::GetASCIIOrigin(uri, origin);
+  if (NS_WARN_IF(NS_FAILED(rv))) {
+    LOG(("Can't get the origin from the URI"));
+    return StorageAccessGrantPromise::CreateAndReject(false, __func__);
  }

+  LOG(("Adding a first-party storage exception for %s...",
+       PromiseFlatCString(origin).get()));
+
  Document* parentDoc = aParentWindow->GetExtantDoc();
  if (!parentDoc) {
    LOG(("Parent window has no doc"));
@ -955,13 +996,6 @@ AntiTrackingCommon::AddFirstPartyStorageAccessGrantedFor(

  // We are a first party resource.
  if (outerParentWindow->IsTopLevelWindow()) {
-    nsAutoCString origin;
-    nsresult rv = nsContentUtils::GetASCIIOrigin(uri, origin);
-    if (NS_WARN_IF(NS_FAILED(rv))) {
-      LOG(("Can't get the origin from the URI"));
-      return StorageAccessGrantPromise::CreateAndReject(false, __func__);
-    }
-
    trackingOrigin = origin;
    trackingPrincipal = aPrincipal;
    rv = trackingPrincipal->GetURI(getter_AddRefs(trackingURI));
@ -1064,11 +1098,11 @@ AntiTrackingCommon::AddFirstPartyStorageAccessGrantedFor(
  }

  auto storePermission =
-      [pwin, parentWindow, trackingOrigin, trackingPrincipal, trackingURI,
-       topInnerWindow, topLevelStoragePrincipal,
+      [pwin, parentWindow, origin, trackingOrigin, trackingPrincipal,
+       trackingURI, topInnerWindow, topLevelStoragePrincipal,
       aReason](int aAllowMode) -> RefPtr<StorageAccessGrantPromise> {
    nsAutoCString permissionKey;
-    CreatePermissionKey(trackingOrigin, permissionKey);
+    CreatePermissionKey(trackingOrigin, origin, permissionKey);

    // Let's store the permission in the current parent window.
    topInnerWindow->SaveStorageAccessGranted(permissionKey);
@ -1084,14 +1118,16 @@ AntiTrackingCommon::AddFirstPartyStorageAccessGrantedFor(
                                     Some(aReason));

    ReportUnblockingToConsole(parentWindow,
-                              NS_ConvertUTF8toUTF16(trackingOrigin), aReason);
+                              NS_ConvertUTF8toUTF16(trackingOrigin),
+                              NS_ConvertUTF8toUTF16(origin), aReason);

    if (XRE_IsParentProcess()) {
-      LOG(("Saving the permission: trackingOrigin=%s", trackingOrigin.get()));
+      LOG(("Saving the permission: trackingOrigin=%s, grantedOrigin=%s",
+           trackingOrigin.get(), origin.get()));

      return SaveFirstPartyStorageAccessGrantedForOriginOnParentProcess(
                 topLevelStoragePrincipal, trackingPrincipal, trackingOrigin,
-                 aAllowMode)
+                 origin, aAllowMode)
          ->Then(GetCurrentThreadSerialEventTarget(), __func__,
                 [](FirstPartyStorageAccessGrantPromise::ResolveOrRejectValue&&
                        aValue) {
@ -1109,15 +1145,16 @@ AntiTrackingCommon::AddFirstPartyStorageAccessGrantedFor(

    LOG(
        ("Asking the parent process to save the permission for us: "
-         "trackingOrigin=%s",
-         trackingOrigin.get()));
+         "trackingOrigin=%s, grantedOrigin=%s",
+         trackingOrigin.get(), origin.get()));

    // This is not really secure, because here we have the content process
    // sending the request of storing a permission.
    return cc
        ->SendFirstPartyStorageAccessGrantedForOrigin(
            IPC::Principal(topLevelStoragePrincipal),
-            IPC::Principal(trackingPrincipal), trackingOrigin, aAllowMode)
+            IPC::Principal(trackingPrincipal), trackingOrigin, origin,
+            aAllowMode)
        ->Then(GetCurrentThreadSerialEventTarget(), __func__,
               [](const ContentChild::
                      FirstPartyStorageAccessGrantedForOriginPromise::
@ -1149,7 +1186,8 @@ AntiTrackingCommon::AddFirstPartyStorageAccessGrantedFor(
 RefPtr<mozilla::AntiTrackingCommon::FirstPartyStorageAccessGrantPromise>
 AntiTrackingCommon::SaveFirstPartyStorageAccessGrantedForOriginOnParentProcess(
    nsIPrincipal* aParentPrincipal, nsIPrincipal* aTrackingPrincipal,
-    const nsCString& aTrackingOrigin, int aAllowMode) {
+    const nsCString& aTrackingOrigin, const nsCString& aGrantedOrigin,
+    int aAllowMode) {
  MOZ_ASSERT(XRE_IsParentProcess());
  MOZ_ASSERT(aAllowMode == eAllow || aAllowMode == eAllowAutoGrant);

@ -1162,8 +1200,8 @@ AntiTrackingCommon::SaveFirstPartyStorageAccessGrantedForOriginOnParentProcess(
  nsCOMPtr<nsIURI> parentPrincipalURI;
  Unused << aParentPrincipal->GetURI(getter_AddRefs(parentPrincipalURI));
  LOG_SPEC(("Saving a first-party storage permission on %s for "
-            "trackingOrigin=%s",
-            _spec, aTrackingOrigin.get()),
+            "trackingOrigin=%s grantedOrigin=%s",
+            _spec, aTrackingOrigin.get(), aGrantedOrigin.get()),
           parentPrincipalURI);

  if (NS_WARN_IF(!aParentPrincipal)) {
@ -1198,7 +1236,7 @@ AntiTrackingCommon::SaveFirstPartyStorageAccessGrantedForOriginOnParentProcess(
  }

  nsAutoCString type;
-  CreatePermissionKey(aTrackingOrigin, type);
+  CreatePermissionKey(aTrackingOrigin, aGrantedOrigin, type);

  LOG(
      ("Computed permission key: %s, expiry: %u, proceeding to save in the "
@ -1461,8 +1499,15 @@ bool AntiTrackingCommon::IsFirstPartyStorageAccessGrantedFor(
  }
  Unused << parentPrincipal->GetURI(getter_AddRefs(parentPrincipalURI));

+  nsAutoCString grantedOrigin;
+  nsresult rv = nsContentUtils::GetASCIIOrigin(aURI, grantedOrigin);
+  if (NS_WARN_IF(NS_FAILED(rv))) {
+    LOG_SPEC(("Failed to compute the origin from %s", _spec), aURI);
+    return false;
+  }
+
  nsAutoCString type;
-  CreatePermissionKey(trackingOrigin, type);
+  CreatePermissionKey(trackingOrigin, grantedOrigin, type);

  if (topInnerWindow->HasStorageAccessGranted(type)) {
    LOG(("Permission stored in the window. All good."));
@ -1728,8 +1773,15 @@ bool AntiTrackingCommon::IsFirstPartyStorageAccessGrantedFor(
    return false;
  }

+  nsAutoCString origin;
+  rv = nsContentUtils::GetASCIIOrigin(aURI, origin);
+  if (NS_WARN_IF(NS_FAILED(rv))) {
+    LOG_SPEC(("Failed to compute the origin from %s", _spec), aURI);
+    return false;
+  }
+
  nsAutoCString type;
-  CreatePermissionKey(trackingOrigin, type);
+  CreatePermissionKey(trackingOrigin, origin, type);

  uint32_t privateBrowsingId = 0;
  rv = channelPrincipal->GetPrivateBrowsingId(&privateBrowsingId);
--- a/toolkit/components/antitracking/AntiTrackingCommon.h
+++ b/toolkit/components/antitracking/AntiTrackingCommon.h
@ -130,7 +130,8 @@ class AntiTrackingCommon final {
  static RefPtr<FirstPartyStorageAccessGrantPromise>
  SaveFirstPartyStorageAccessGrantedForOriginOnParentProcess(
      nsIPrincipal* aPrincipal, nsIPrincipal* aTrackingPrinciapl,
-      const nsCString& aTrackingOrigin, int aAllowMode);
+      const nsCString& aParentOrigin, const nsCString& aGrantedOrigin,
+      int aAllowMode);

  // Check whether a top window principal is on the content blocking allow list.
  static nsresult IsOnContentBlockingAllowList(nsIPrincipal* aTopWinPrincipal,
--- a/toolkit/components/antitracking/test/browser/antitracking_head.js
+++ b/toolkit/components/antitracking/test/browser/antitracking_head.js
@ -696,31 +696,13 @@ this.AntiTracking = {
        is(allMessages.length, 0, "No console messages should be generated");
      } else {
        ok(!!allMessages.length, "Some console message should be generated");
-        if (options.errorMessageDomains) {
-          is(
-            allMessages.length,
-            options.errorMessageDomains.length,
-            "Enough items provided in errorMessageDomains"
-          );
-        }
      }
-      let index = 0;
      for (let msg of allMessages) {
        is(
          msg.category,
          expectedCategory,
          "Message should be of expected category"
        );
-
-        if (options.errorMessageDomains) {
-          ok(
-            msg.errorMessage.includes(options.errorMessageDomains[index]),
-            `Error message domain ${
-              options.errorMessageDomains[index]
-            } (${index}) found in "${msg.errorMessage}"`
-          );
-          index++;
-        }
      }

      if (options.allowList) {
--- a/toolkit/components/antitracking/test/browser/browser.ini
+++ b/toolkit/components/antitracking/test/browser/browser.ini
@ -39,9 +39,6 @@ support-files =
  raptor.jpg
  !/browser/modules/test/browser/head.js
  !/browser/base/content/test/general/head.js
-  !/browser/base/content/test/trackingUI/cookieServer.sjs
-  !/browser/base/content/test/trackingUI/trackingPage.html
-  !/browser/base/content/test/trackingUI/trackingAPI.js

 [browser_allowListNotifications.js]
 support-files = subResources.sjs
@ -112,8 +109,6 @@ skip-if = fission
 skip-if = fission
 [browser_storageAccessSandboxed.js]
 skip-if = fission
-[browser_storageAccessThirdPartyChecks.js]
-skip-if = fission
 [browser_storageAccessWithHeuristics.js]
 skip-if = fission
 [browser_networkIsolation.js]
--- a/toolkit/components/antitracking/test/browser/browser_storageAccessThirdPartyChecks.js
+++ b/toolkit/components/antitracking/test/browser/browser_storageAccessThirdPartyChecks.js
@ -1,63 +0,0 @@
-/* import-globals-from antitracking_head.js */
-
-AntiTracking._createTask({
-  name:
-    "Test that after a storage access grant we have full first-party access",
-  cookieBehavior: BEHAVIOR_REJECT_TRACKER,
-  blockingByContentBlockingRTUI: true,
-  allowList: false,
-  callback: async _ => {
-    /* import-globals-from storageAccessAPIHelpers.js */
-    await noStorageAccessInitially();
-
-    await callRequestStorageAccess();
-
-    const TRACKING_PAGE =
-      "http://another-tracking.example.net/browser/browser/base/content/test/trackingUI/trackingPage.html";
-    async function runChecks(name) {
-      let iframe = document.createElement("iframe");
-      iframe.src = TRACKING_PAGE;
-      document.body.appendChild(iframe);
-      await new Promise(resolve => {
-        iframe.onload = resolve;
-      });
-
-      await SpecialPowers.spawn(iframe, [name], name => {
-        content.postMessage(name, "*");
-      });
-
-      await new Promise(resolve => {
-        onmessage = e => {
-          if (e.data == "done") {
-            resolve();
-          }
-        };
-      });
-    }
-
-    await runChecks("image");
-  },
-  extraPrefs: null,
-  expectedBlockingNotifications:
-    Ci.nsIWebProgressListener.STATE_COOKIES_BLOCKED_TRACKER,
-  runInPrivateWindow: false,
-  iframeSandbox: null,
-  accessRemoval: null,
-  callbackAfterRemoval: null,
-  thirdPartyPage: TEST_3RD_PARTY_PAGE_HTTP,
-  errorMessageDomains: [
-    "http://tracking.example.org",
-    "http://tracking.example.org",
-    "http://tracking.example.org",
-    "http://tracking.example.org",
-    "http://tracking.example.org",
-  ],
-});
-
-add_task(async _ => {
-  await new Promise(resolve => {
-    Services.clearData.deleteData(Ci.nsIClearDataService.CLEAR_ALL, value =>
-      resolve()
-    );
-  });
-});
--- a/toolkit/components/antitracking/test/browser/head.js
+++ b/toolkit/components/antitracking/test/browser/head.js
@ -29,8 +29,6 @@ const TEST_TOP_PAGE_6 = TEST_DOMAIN_6 + TEST_PATH + "page.html";
 const TEST_EMBEDDER_PAGE = TEST_DOMAIN + TEST_PATH + "embedder.html";
 const TEST_POPUP_PAGE = TEST_DOMAIN + TEST_PATH + "popup.html";
 const TEST_3RD_PARTY_PAGE = TEST_3RD_PARTY_DOMAIN + TEST_PATH + "3rdParty.html";
-const TEST_3RD_PARTY_PAGE_HTTP =
-  TEST_3RD_PARTY_DOMAIN_HTTP + TEST_PATH + "3rdParty.html";
 const TEST_3RD_PARTY_PAGE_WO =
  TEST_3RD_PARTY_DOMAIN + TEST_PATH + "3rdPartyWO.html";
 const TEST_3RD_PARTY_PAGE_UI =
--- a/toolkit/components/cleardata/ClearDataService.jsm
+++ b/toolkit/components/cleardata/ClearDataService.jsm
@ -879,14 +879,19 @@ const PermissionsCleaner = {

        if (!toBeRemoved && perm.type.startsWith("3rdPartyStorage^")) {
          let parts = perm.type.split("^");
-          let uri;
-          try {
-            uri = Services.io.newURI(parts[1]);
-          } catch (ex) {
-            continue;
-          }
+          for (let i = 1; i < parts.length; ++i) {
+            let uri;
+            try {
+              uri = Services.io.newURI(parts[i]);
+            } catch (ex) {
+              continue;
+            }

-          toBeRemoved = Services.eTLD.hasRootDomain(uri.host, aHost);
+            toBeRemoved = Services.eTLD.hasRootDomain(uri.host, aHost);
+            if (toBeRemoved) {
+              break;
+            }
+          }
        }

        if (!toBeRemoved) {
--- a/toolkit/components/cleardata/tests/unit/test_permissions.js
+++ b/toolkit/components/cleardata/tests/unit/test_permissions.js
@ -133,6 +133,16 @@ add_task(async function test_3rdpartystorage_permissions() {
    "cookie",
    Services.perms.ALLOW_ACTION
  );
+  Services.perms.addFromPrincipal(
+    oneMorePrincipal,
+    "3rdPartyStorage^https://example.net^https://example.org",
+    Services.perms.ALLOW_ACTION
+  );
+  Services.perms.addFromPrincipal(
+    oneMorePrincipal,
+    "3rdPartyStorage^https://example.org^https://example.net",
+    Services.perms.ALLOW_ACTION
+  );

  Assert.ok(
    Services.perms.getPermissionObject(principal, "cookie", true) != null
@ -150,6 +160,20 @@ add_task(async function test_3rdpartystorage_permissions() {
  Assert.ok(
    Services.perms.getPermissionObject(oneMorePrincipal, "cookie", true) != null
  );
+  Assert.ok(
+    Services.perms.getPermissionObject(
+      oneMorePrincipal,
+      "3rdPartyStorage^https://example.net^https://example.org",
+      true
+    ) != null
+  );
+  Assert.ok(
+    Services.perms.getPermissionObject(
+      oneMorePrincipal,
+      "3rdPartyStorage^https://example.org^https://example.net",
+      true
+    ) != null
+  );

  await new Promise(aResolve => {
    Services.clearData.deleteDataFromPrincipal(
@ -179,6 +203,20 @@ add_task(async function test_3rdpartystorage_permissions() {
  Assert.ok(
    Services.perms.getPermissionObject(oneMorePrincipal, "cookie", true) != null
  );
+  Assert.ok(
+    Services.perms.getPermissionObject(
+      oneMorePrincipal,
+      "3rdPartyStorage^https://example.net^https://example.org",
+      true
+    ) == null
+  );
+  Assert.ok(
+    Services.perms.getPermissionObject(
+      oneMorePrincipal,
+      "3rdPartyStorage^https://example.org^https://example.net",
+      true
+    ) == null
+  );

  await new Promise(aResolve => {
    Services.clearData.deleteData(