Closed Bug 1303358 Opened 8 years ago Closed 8 years ago

CORS

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Version:
48 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: balafi, Unassigned)

Details

Attachments

(2 files)

Screenshot from 2016-09-17 02:11:32.png
153.03 KB, image/png
Details
Screen Shot 2016-09-17 at 02.25.29.png
671.13 KB, image/png
Details 
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:48.0) Gecko/20100101 Firefox/48.0
Build ID: 20160823121617

Steps to reproduce:

I read the documention for CORS at https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS and follow the link to this page: http://arunranga.com/examples/access-control/credentialedRequestNoCredentials.html which according to the aforementioned documentation is a working example of CORS with credentials


Actual results:

When I click the "Click to Invoke Another Site" button at http://arunranga.com/examples/access-control/credentialedRequestNoCredentials.html I observe in the inspector that the CORS request do no include the cookie which has been set in the response of the previous request


Expected results:

Based on the specification as well as Firefox Documentation, I would expect to see the cookie which is set in the CORS response to be stored at the browser, and be included in the Request parameter of subsequent requests
Component: Untriaged → DOM: Security
Product: Firefox → Core
Look at the file name of the URL you provided:

  http://arunranga.com/examples/access-control/credentialedRequestNoCredentials.html

It says "NoCredentials".  At the bottom of the page is a link to:

  http://arunranga.com/examples/access-control/credentialedRequest.html

I see the cookie sent on the second site and not the first site.  I think this is what is expected.

Does this work for you?
Flags: needinfo?(balafi)
No, it does not work. Screenshot attached

I wanted to refer to http://arunranga.com/examples/access-control/credentialedRequest.html but copied&pasted a wrong URL
let me add another screenshot, this time from a FF48.0.2 on OSX El Capitan (10.11.6)
You will notice that the request highlighted in the inspector is the third CORS request, but the pageAccess counter in the set-cookie is still 1. 
The Request Headers do not include a Cookie header (this is not visible in this screenshot)
Can you open "about:support" in a new tab, copy to text, and paste here?
Application Basics
------------------

Name: Firefox
Version: 48.0.2
Build ID: 20160823121617
Update Channel: release
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:48.0) Gecko/20100101 Firefox/48.0
OS: Darwin 15.6.0 x86-64
Multiprocess Windows: 0/1 (Disabled by add-ons)
Safe Mode: false

Crash Reports for the Last 3 Days
---------------------------------

All Crash Reports

Extensions
----------

Name: All Tabs Helper
Version: 0.2.31
Enabled: true
ID: alltabshelper@alltabshelper.org

Name: Firefox Hello Beta
Version: 1.4.4
Enabled: true
ID: loop@mozilla.org

Name: HostAdmin
Version: 1.4.9.2.1-signed.1-signed
Enabled: true
ID: {bd54afa8-b14a-4d7a-aecf-37e34e882796}

Name: Multi-process staged rollout
Version: 1.2
Enabled: true
ID: e10srollout@mozilla.org

Name: Pocket
Version: 1.0.4
Enabled: true
ID: firefox@getpocket.com

Name: React Devtools
Version: 0.15.3
Enabled: true
ID: @react-devtools

Name: RESTClient
Version: 2.0.5
Enabled: true
ID: {ad0d925d-88f8-47f1-85ea-8463569e756e}

Name: Selenium IDE
Version: 2.9.1.1-signed
Enabled: true
ID: {a6fd85ed-e919-4a43-a5af-8da18bda539f}

Name: uBlock Origin
Version: 1.9.6
Enabled: true
ID: uBlock0@raymondhill.net

Name: Video DownloadHelper
Version: 6.0.0
Enabled: true
ID: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}

Graphics
--------

Features
Compositing: OpenGL
Asynchronous Pan/Zoom: none
WebGL Renderer: Intel Inc. -- Intel(R) Iris(TM) Graphics 6100
Hardware H264 Decoding: Yes
GPU #1
Active: Yes
Vendor ID: 0x8086
Device ID: 0x162b

Diagnostics
AzureCanvasAccelerated: 1
AzureCanvasBackend: skia
AzureContentBackend: skia
AzureFallbackCanvasBackend: none


Important Modified Preferences
------------------------------

accessibility.typeaheadfind.flashBar: 0
browser.cache.disk.capacity: 358400
browser.cache.disk.filesystem_reported: 1
browser.cache.disk.hashstats_reported: 1
browser.cache.disk.smart_size.first_run: false
browser.cache.disk.smart_size.use_old_max: false
browser.cache.frecency_experiment: 4
browser.download.importedFromSqlite: true
browser.places.smartBookmarksVersion: 8
browser.sessionstore.upgradeBackup.latestBuildID: 20160823121617
browser.startup.homepage: https://confluence.atypon.com/spacedirectory/view.action
browser.startup.homepage_override.buildID: 20160823121617
browser.startup.homepage_override.mstone: 48.0.2
browser.tabs.remote.autostart.2: true
browser.urlbar.maxRichResults: 12
browser.urlbar.suggest.searches: true
browser.urlbar.userMadeSearchSuggestionsChoice: true
dom.apps.reset-permissions: true
dom.disable_open_during_load: false
dom.mozApps.used: true
dom.push.userAgentID: c09b43f9d05840e9a8035abb3a545efb
extensions.lastAppVersion: 48.0.2
font.internaluseonly.changed: true
font.language.group: x-western
gfx.blacklist.direct2d: 3
gfx.blacklist.direct2d.failureid: FEATURE_FAILURE_DL_BLACKLIST_g984
gfx.crash-guard.glcontext.appVersion: 45.0.2
gfx.crash-guard.glcontext.deviceID: 0x162b
gfx.crash-guard.status.glcontext: 2
media.benchmark.vp9.fps: 124
media.benchmark.vp9.versioncheck: 1
media.gmp-gmpopenh264.abi: x86_64-gcc3-u-i386-x86_64
media.gmp-gmpopenh264.lastUpdate: 1471519341
media.gmp-gmpopenh264.version: 1.6
media.gmp-manager.buildID: 20160823121617
media.gmp-manager.lastCheck: 1474025389
media.gmp-widevinecdm.abi: x86_64-gcc3-u-i386-x86_64
media.gmp-widevinecdm.lastUpdate: 1465885844
media.gmp-widevinecdm.version: 1.4.8.866
media.gmp.storage.version.observed: 1
media.webrtc.debug.aec_log_dir: /tmp/
media.webrtc.debug.log_file: /tmp/WebRTC.log
media.youtube-ua.override.to: 43
network.cookie.cookieBehavior: 1
network.cookie.prefsMigrated: true
network.cookie.thirdparty.sessionOnly: true
network.dns.disablePrefetch: true
network.dnsCacheEntries: 0
network.dnsCacheExpiration: 0
network.http.speculative-parallel-limit: 0
network.predictor.cleaned-up: true
network.prefetch-next: false
places.database.lastMaintenance: 1473757723
places.history.expiration.transient_current_max_pages: 104858
plugin.disable_full_page_plugin_for_types: application/pdf
plugin.importedState: true
print.print_bgcolor: false
print.print_bgimages: false
print.print_duplex: -437918235
print.print_evenpages: true
print.print_in_color: true
print.print_margin_bottom: 0.5
print.print_margin_left: 0.5
print.print_margin_right: 0.5
print.print_margin_top: 0.5
print.print_oddpages: true
print.print_orientation: 0
print.print_page_delay: 50
print.print_paper_data: 0
print.print_paper_height: 11.00
print.print_paper_name:
print.print_paper_size_type: 1
print.print_paper_size_unit: 0
print.print_paper_width: 8.50
print.print_resolution: -437918235
print.print_reversed: false
print.print_scaling: 1.00
print.print_shrink_to_fit: true
print.print_to_file: false
print.print_unwriteable_margin_bottom: 17
print.print_unwriteable_margin_left: 17
print.print_unwriteable_margin_right: 17
print.print_unwriteable_margin_top: 17
privacy.clearOnShutdown.passwords: false
privacy.cpd.cookies: false
privacy.cpd.downloads: false
privacy.cpd.formdata: false
privacy.cpd.history: false
privacy.cpd.sessions: false
privacy.donottrackheader.enabled: true
privacy.sanitize.migrateClearSavedPwdsOnExit: true
privacy.sanitize.migrateFx3Prefs: true
privacy.sanitize.timeSpan: 0
services.sync.declinedEngines:
services.sync.engine.addons: false
services.sync.engine.prefs.modified: false
services.sync.lastPing: 1474015915
services.sync.lastSync: Sat Sep 17 2016 02:59:47 GMT+0300 (EEST)
services.sync.numClients: 5
storage.vacuum.last.index: 1
storage.vacuum.last.places.sqlite: 1473669051

Important Locked Preferences
----------------------------

JavaScript
----------

Incremental GC: true

Accessibility
-------------

Activated: false
Prevent Accessibility: 0

Library Versions
----------------

NSPR
Expected minimum version: 4.12
Version in use: 4.12

NSS
Expected minimum version: 3.24 Basic ECC
Version in use: 3.24 Basic ECC

NSSSMIME
Expected minimum version: 3.24 Basic ECC
Version in use: 3.24 Basic ECC

NSSSSL
Expected minimum version: 3.24 Basic ECC
Version in use: 3.24 Basic ECC

NSSUTIL
Expected minimum version: 3.24
Version in use: 3.24

Experimental Features
---------------------
You have this pref:

  network.cookie.cookieBehavior: 1

Which means to reject foreign cookies:

  https://dxr.mozilla.org/mozilla-central/source/modules/libpref/init/all.js#1971

Can you test with a new profile with default settings and no addons?
I restarted on safe mode from about:support
cookieBehavior was again set to 1

looking at about:config, the pref status was 'user set' 
I did a reset and everything works fine now

I don't remember when/where was this set to 1

many thanks for your fantastic support.
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Flags: needinfo?(balafi)
Resolution: --- → WORKSFORME
No problem.  I think this can be set via something in options->privacy.  We allow users to disable 3rd party cookies to reduce tracking.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: