Closed
Bug 1149250
Opened 10 years ago
Closed 7 years ago
Ensure Web Extensions surface allowing manual http->https (secure update) redirects not blocked by CORS checks
Categories
(WebExtensions :: Request Handling, defect, P2)
WebExtensions
Request Handling
Tracking
(firefox57 wontfix, firefox59 fixed)
RESOLVED
FIXED
mozilla59
People
(Reporter: mayhemer, Assigned: mixedpuppy)
References
Details
(Keywords: dev-doc-complete, Whiteboard: triaged)
Attachments
(2 files, 2 obsolete files)
+++ This bug was initially created as a clone of Bug #881830 +++
Not surprisingly, this (the fix for bug 881830) has been causing lots of breakage with HTTPS Everywhere. Hopefully the CORS-with-preflight-case being addressed?
cf https://github.com/EFForg/https-everywhere/issues/49
see "development" XPIs at https://eff.org/https-everywhere
Ping: This is still causing a lot of bugs for HTTPS Everywhere. Any suggestions on how to proceed?
We may wind up having to work around by telling HTTPS Everywhere never to upgrade preflight requests. Is there any way to distinguish a preflight request using the http-on-modify-request observer event (https://developer.mozilla.org/en-US/docs/Observer_Notifications)?
Comment 2•9 years ago
|
||
Is there any progress on this? The related issue in HTTPS Everywhere is quite frustrating.
Updated•9 years ago
|
Whiteboard: [necko-active]
Reporter | ||
Comment 3•8 years ago
|
||
Possible solutions:
In Gecko:
- add nsIHttpChannel.upgradeToHttps public method, that will be used instead of redirectTo
In HTTPS Everywhere:
- persuade loadinfo of the channel (if there is one!) to behave as there were "upgrade-insecure-requests" CSP directive set on the loading document
- set setAllowSTS to true on the channel and then persuade (or potentially reimplement) nsISiteSecurityService to return true for calls from isSecureURI for the channel
yan, what do you think? I'm not sure I want to add upgradeToHttps, but that sounds like the simplest solution that preserves full functionality.
Flags: needinfo?(yan)
Reporter | ||
Updated•8 years ago
|
Whiteboard: [necko-active] → [necko-backlog]
Reporter | ||
Comment 4•8 years ago
|
||
Disassigning myself for lack of information progress and interest here.
Assignee: honzab.moz → nobody
Reporter | ||
Comment 5•8 years ago
|
||
yan, ping on ni? here.
Reporter | ||
Comment 6•8 years ago
|
||
Closing for no feedback.
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(yan)
Resolution: --- → INCOMPLETE
Comment 7•8 years ago
|
||
The summary of this bug isn't https-everywhere specific... is the summary just wrong?
Flags: needinfo?(honzab.moz)
Comment 8•8 years ago
|
||
Resolved? Closed? Please. This is a significant issue. I am the developer of Jmol (JSmol) and have had huge problems with this issue in the context of jQuery. Sites are automatically switching to https now, so IT professionals at the host site have no options open to them. All is fine outside of AJAX as far as I can see. But we really need AJAX to do this.
I'm hoping that Mozilla can at least lead the way for other browsers.
Or am I missing something?
Bob hanson
Comment 9•8 years ago
|
||
Bob, I think whatever you're missing is what I'm missing too. And specifically, what the difference is between this bug and bug 881830 (which is marked fixed).
But if you have a specific site that is showing a problem in a current release, please file it with steps to reproduce. Because if my guess about what _this_ bug is about is correct, whatever you are seeing is not this bug.
Comment 10•8 years ago
|
||
This is still occurring for me on http://js2.coffee which has assets from code.ionicframework.com that are upgraded by HTTPS Everywhere, as reported a long time ago here: https://github.com/EFForg/https-everywhere/issues/49#issuecomment-167002867
Firefox 49 on macOS 10.12, HTTPS Everywhere 5.2.5
The same issue does not occur in Chrome with HTTPS Everywhere
Reporter | ||
Comment 11•8 years ago
|
||
(In reply to Boris Zbarsky [:bz] (still a bit busy) from comment #9)
> Bob, I think whatever you're missing is what I'm missing too. And
> specifically, what the difference is between this bug and bug 881830 (which
> is marked fixed).
>
> But if you have a specific site that is showing a problem in a current
> release, please file it with steps to reproduce. Because if my guess about
> what _this_ bug is about is correct, whatever you are seeing is not this bug.
Thanks Boris. Yes, this has been specifically filed as a response to HTTPS Everywhere add-on issue 49, see comment 0. This bug is not about content at all. The title had to be updated, I admit.
I didn't get any feedback here, I'll try to ping them on github directly.
(In reply to Bob Hanson from comment #8)
> Resolved? Closed? Please. This is a significant issue. I am the developer of
> Jmol (JSmol) and have had huge problems with this issue in the context of
> jQuery. Sites are automatically switching to https now, so IT professionals
> at the host site have no options open to them. All is fine outside of AJAX
> as far as I can see. But we really need AJAX to do this.
>
> I'm hoping that Mozilla can at least lead the way for other browsers.
>
> Or am I missing something?
>
> Bob hanson
As Boris mentions, I am not sure how your issue relates to this bug. Sorry for confusion if the bad title misled you.
Flags: needinfo?(honzab.moz)
Summary: CORS requests that STS upgrades to https fail → No XPCOM API to tell an HTTP channel to internally redirect to a secure scheme, redirect otherwise blocked by CORS checks.
Reporter | ||
Comment 12•8 years ago
|
||
(In reply to Stefan Wrobel from comment #10)
> This is still occurring for me on http://js2.coffee which has assets from
> code.ionicframework.com that are upgraded by HTTPS Everywhere, as reported a
> long time ago here:
> https://github.com/EFForg/https-everywhere/issues/49#issuecomment-167002867
>
> Firefox 49 on macOS 10.12, HTTPS Everywhere 5.2.5
>
> The same issue does not occur in Chrome with HTTPS Everywhere
Commented there with reference to this bug. Hopefully I will get a feedback now.
Reporter | ||
Comment 13•8 years ago
|
||
(And apparently closing a bug with no feedback is a good thing - I got some feedback instantly ;))
Comment 14•8 years ago
|
||
Hi! Sorry for the delay in responding. I think my Bugzilla mail was getting eaten. A little more detail:
Chrome has a similar bug at https://bugs.chromium.org/p/chromium/issues/detail?id=387198. It looks like they were able to solve it internally, without new APIs, by setting headers on the redirect. Do you think that is possible for Firefox?
I think HTTPS Everywhere would be happy to have an upgradeToHttps API, but we are planning to move the whole extension to WebExtensions as recommended by Mozilla. So any API we would want to use would have to exist in WebExtensions. Additionally, it's not clear to me that how adding the new API would fix the problem. Could you go into more detail on that?
Thanks,
Jacob
Reporter | ||
Comment 15•8 years ago
|
||
(In reply to Jacob from comment #14)
> Hi! Sorry for the delay in responding. I think my Bugzilla mail was getting
> eaten. A little more detail:
>
> Chrome has a similar bug at
> https://bugs.chromium.org/p/chromium/issues/detail?id=387198. It looks like
> they were able to solve it internally, without new APIs, by setting headers
> on the redirect. Do you think that is possible for Firefox?
I will go thought that bug a but later, maybe we can do something similar/same.
>
> I think HTTPS Everywhere would be happy to have an upgradeToHttps API, but
> we are planning to move the whole extension to WebExtensions as recommended
> by Mozilla.
Good to hear!
> So any API we would want to use would have to exist in
> WebExtensions. Additionally, it's not clear to me that how adding the new
> API would fix the problem. Could you go into more detail on that?
So, the problem is that redirect from http://foo.com to httpS://foo.com is a cross-origin redirect and must be submitted to CORS checks, that is clear. When it's triggered internally (from inside the platform) as part of HSTS upgrade (for instance) via an API that is available only internally, we set a flag marking the redirect as internal and as 'intentional secure update from http->https' only. We can then safely bypass some CORS checks. Problem is that we cannot simply set this "do bypass CORS checks" flag whenever a channel does only http->https redirect (secure update) because we can't determine the true cause of the redirect and we may actually go to a totally different server.
Hence, a new API you may then call (regardless being XPCOM or WebExtensions) from a privileged code marks this redirect intention as "secure update" explicitly and set that "do bypass CORS checks" flag.
I will have to discuss this also with some people responsible for designing WebExtensions APIs, whether there is something we could offer right now or we have to invent something.
Cameron, can you elaborate or forward to the right people?
Renaming the bug, ensure Web Extensions surface allowing this kind "secure update" redirect not being blocked by CORS checks.
>
> Thanks,
> Jacob
Status: RESOLVED → REOPENED
Component: Networking → WebExtensions: Request Handling
Flags: needinfo?(spectre)
Product: Core → Toolkit
Resolution: INCOMPLETE → ---
Summary: No XPCOM API to tell an HTTP channel to internally redirect to a secure scheme, redirect otherwise blocked by CORS checks. → Ensure Web Extensions surface allowing manual http->https (secure update) redirects not blocked by CORS checks
Reporter | ||
Updated•8 years ago
|
Status: REOPENED → NEW
Whiteboard: [necko-backlog]
Comment 16•8 years ago
|
||
I don't think this is me directly, though we were talking about a protocol handler API. bz might know the right person.
Flags: needinfo?(spectre)
Updated•8 years ago
|
Priority: -- → P2
Whiteboard: triaged
What I have suggested in the past is to expose two notifications to web extensions.
The first notification happens after gecko creates a channel and calls AsyncOpen2(), but before AsyncOpen2() does any security checks.
The second notification happens after AsyncOpen2 has done security checks, but before we hit the network/httpcache.
If the webextension does a redirect during the first notification, then we never do any CORS, CheckLoadURI, etc checks on the URI which was actually opened by gecko. Instead the AsyncOpen2 process restarts and we do security checks only on the new URI (unless the channel gets redirected again to yet another URI).
There are some difficulties implementing this. AsyncOpen2 currently does security checks synchronously and returns an error value if they fail. But we can't call into webextensions synchronously.
Generally speaking it should be possible to make AsyncOpen2 do security checks asynchronously and instead fire OnStartRequest/OnStopRequest with an error value if security checks fail.
But there are a few web APIs which rely on synchronous security checks. For example I *think* that we intentionally do some security checks synchronously when an <a href="..." target="_blank"> is clicked to avoid opening a new window if the load is blocked. There are likely more examples like that.
new Worker(...) used to do synchronous same-origin checks in the spec, and might still in gecko, but I believe the spec now calls for these checks to be async.
Assignee | ||
Comment 18•8 years ago
|
||
I just wrote a test to redirect a fetch of http://example.com to https://example.com and it passes. Am I missing something here?
Assignee | ||
Comment 19•8 years ago
|
||
Ah. I know what I missed.
Assignee | ||
Comment 20•8 years ago
|
||
This test shows my understanding of the basic problem outlined in this bug. If the functionality needed is different it would be great to clarify it.
Attachment #8823882 -
Attachment is obsolete: true
Comment hidden (mozreview-request) |
Assignee | ||
Comment 22•8 years ago
|
||
Comment on attachment 8824195 [details] [diff] [review]
redirectUpgrade
moved test patch to reviewboard
Attachment #8824195 -
Attachment is obsolete: true
Assignee | ||
Comment 23•8 years ago
|
||
I fixed the test while testing another http->https upgrade bug I saw, and am not able to reproduce the problem. I'll need a more specific STR in order to validate whether this is actually a problem.
Comment 25•7 years ago
|
||
I'm also getting CORS error with a simple noop redirect on latest Nightly, so I can't create my ext..
See code: https://gist.github.com/klausenbusk/f368f01d0412aff02b6fe736ccb9cf70 and I'm getting:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://0-edge-chat.facebook.com/pullxxxxx. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).
Comment 26•7 years ago
|
||
I can still reproduce this in Nightly 08-25, STR:
1. Install the beta version of https everywhere at [0] since only WebExtension works in Fx 57
2. Open http://js2.coffee/
3. Open HTTPS Everywhere's panel and toggle 'Ionic Framework.com (partial)' (This ruleset has been re-enabled later at [1], but it is not included in the WebExtension version yet. Anyway code.ionicframework.com is the only one matters here)
4. Hard reload
Error message:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://code.ionicframework.com/ionicons/2.0.1/fonts/ionicons.ttf?v=2.0.1. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).
Hope this can help to validate the problem
[0]: https://www.eff.org/files/https-everywhere-test/https-everywhere-2017.7.21.1338-eff.xpi
[1]: https://github.com/EFForg/https-everywhere/pull/11950
Flags: needinfo?(mixedpuppy)
Updated•7 years ago
|
See Also: → https://github.com/adobe/brackets.io/issues/138
Updated•7 years ago
|
Updated•7 years ago
|
status-firefox57:
--- → wontfix
Comment hidden (mozreview-request) |
Assignee | ||
Comment 28•7 years ago
|
||
Comment on attachment 8843518 [details]
Bug 1149250 add support for https upgrades from webextensions,
Honza, this seems to work just fine given the simple test (included). I'm not sure if there are issues I am unaware of that would make this approach a bad idea.
Flags: needinfo?(mixedpuppy)
Attachment #8843518 -
Flags: feedback?(honzab.moz)
Assignee | ||
Updated•7 years ago
|
Assignee: nobody → mixedpuppy
Comment hidden (mozreview-request) |
Assignee | ||
Updated•7 years ago
|
Attachment #8843518 -
Flags: feedback?(honzab.moz)
Comment 30•7 years ago
|
||
mozreview-review |
Comment on attachment 8843518 [details]
Bug 1149250 add support for https upgrades from webextensions,
https://reviewboard.mozilla.org/r/117226/#review202544
C/C++ static analysis found 0 defects in this patch.
You can run this analysis locally with: `./mach static-analysis check path/to/file.cpp`
Assignee | ||
Comment 31•7 years ago
|
||
Comment on attachment 8843518 [details]
Bug 1149250 add support for https upgrades from webextensions,
for feedback on the webext side of things.
Attachment #8843518 -
Flags: feedback?(kmaglione+bmo)
Comment 32•7 years ago
|
||
mozreview-review |
Comment on attachment 8843518 [details]
Bug 1149250 add support for https upgrades from webextensions,
https://reviewboard.mozilla.org/r/117226/#review202998
::: toolkit/components/extensions/schemas/web_request.json:153
(Diff revision 3)
> "redirectUrl": {
> "type": "string",
> "optional": true,
> "description": "Only used as a response to the onBeforeRequest and onHeadersReceived events. If set, the original request is prevented from being sent/completed and is instead redirected to the given URL. Redirections to non-HTTP schemes such as data: are allowed. Redirects initiated by a redirect action use the original request method for the redirect, with one exception: If the redirect is initiated at the onHeadersReceived stage, then the redirect will be issued using the GET method."
> },
> + "redirectUpgrade": {
Seems reasonable, but maybe a bit arcane. Maybe call it something like "maybeUpgradeToHttps"?
Updated•7 years ago
|
Attachment #8843518 -
Flags: feedback?(kmaglione+bmo) → feedback+
Assignee | ||
Comment 33•7 years ago
|
||
Capturing some irc feedback/discussion with Kris
- maybe use "upgradeToHttps" or "maybeUpgradeToHttps" instead of "redirectUpgrade"
- me: we should no-op in webrequest.jsm if it is already https
- perhaps return a bool if upgrade is necessary
- me: not sure that is easy to do, it is determined at a later time in the channel, but easy to return !schemeIs(https).
Reporter | ||
Comment 34•7 years ago
|
||
mozreview-review |
Comment on attachment 8843518 [details]
Bug 1149250 add support for https upgrades from webextensions,
https://reviewboard.mozilla.org/r/117226/#review203370
::: dom/webidl/ChannelWrapper.webidl:85
(Diff revision 3)
> + * Upgrades the wrapped HTTP channel to a secure request. For other channel
> + * types, this method will throw. The redirect is an internal redirect, and
> + * the behavior is the same as nsIHttpChannel.redirectUpgrade.
> + */
> + [Throws]
> + void redirectUpgrade();
is the name of this method under some web-spec control? if not, please make the name clearer, like ensureUpgradeToSecure or something.
internal methods and members definitely must have a clearer name.
the comment here must explain how this effects the channel when also redirectTo was called.
and, that bit (both redirectTo and redirectUpgrade being called on a single channel) has to be discussed before landing this.
::: netwerk/protocol/http/HttpBaseChannel.h:490
(Diff revision 3)
> nsCOMPtr<nsIInterfaceRequestor> mCallbacks;
> nsCOMPtr<nsIProgressEventSink> mProgressSink;
> nsCOMPtr<nsIURI> mReferrer;
> nsCOMPtr<nsIApplicationCache> mApplicationCache;
> nsCOMPtr<nsIURI> mAPIRedirectToURI;
> + bool mAPIRedirectUpgrade;
I'd like to see this in the list of bit fields to pack. and give it also a better name.
::: netwerk/protocol/http/nsIHttpChannel.idl:447
(Diff revision 3)
> * @throws NS_ERROR_NOT_AVAILABLE if called after the channel has already
> * started to deliver the content to its listener.
> */
> [must_use] void redirectTo(in nsIURI aTargetURI);
>
> + [must_use] void redirectUpgrade();
add a good comment
::: netwerk/protocol/viewsource/nsViewSourceChannel.cpp:1081
(Diff revision 3)
> return !mHttpChannel ? NS_ERROR_NULL_POINTER :
> mHttpChannel->RedirectTo(uri);
> }
>
> NS_IMETHODIMP
> +nsViewSourceChannel::RedirectUpgrade()
a blank line before this line
::: toolkit/modules/addons/WebRequest.jsm:814
(Diff revision 3)
> channel.suspended = false;
> channel.cancel(Cr.NS_ERROR_ABORT);
> return;
> }
>
> - if (result.redirectUrl) {
> + if (result.redirectUpgrade) {
so, secure upgrade takes precedence over redirectTo, is this according the spec? is this what we want? and is this documented in our (web)idls properly?
::: toolkit/modules/addons/WebRequest.jsm:818
(Diff revision 3)
>
> - if (result.redirectUrl) {
> + if (result.redirectUpgrade) {
> + channel.suspended = false;
> + channel.redirectUpgrade();
> + return;
> + } else if (result.redirectUrl) {
no else after return please
Attachment #8843518 -
Flags: review-
Reporter | ||
Comment 35•7 years ago
|
||
Comment on attachment 8843518 [details]
Bug 1149250 add support for https upgrades from webextensions,
stupid rb...
Attachment #8843518 -
Flags: review-
Attachment #8843518 -
Flags: feedback?(honzab.moz)
Attachment #8843518 -
Flags: feedback-
Assignee | ||
Comment 36•7 years ago
|
||
mozreview-review-reply |
Comment on attachment 8843518 [details]
Bug 1149250 add support for https upgrades from webextensions,
https://reviewboard.mozilla.org/r/117226/#review203370
> a blank line before this line
I'm not clear on this request, I formated as everything else in this file is formatted.
> so, secure upgrade takes precedence over redirectTo, is this according the spec? is this what we want? and is this documented in our (web)idls properly?
They are mutually exclusive in httpchannel. At the webrequest level we'll prefer the upgrade over the redirect.
Comment 37•7 years ago
|
||
mozreview-review-reply |
Comment on attachment 8843518 [details]
Bug 1149250 add support for https upgrades from webextensions,
https://reviewboard.mozilla.org/r/117226/#review203370
> They are mutually exclusive in httpchannel. At the webrequest level we'll prefer the upgrade over the redirect.
I think, if it were a matter of simple precedence, I'd prefer the opposite, and have `redirectUrl` take precedence over upgrade, since redirecting to a different URL is the more dramatic change.
That said, the way this is currently implemented, an single listener should only be allowed to specify one of the two, and in the case of multiple listeners, the first one to redirect or cancel the request takes precedence, no matter which method it used to do so.
Which is perhaps not ideal, in this case, since `redirectUpgrade` won't necessarily actually redirect the channel.
Assignee | ||
Comment 38•7 years ago
|
||
(In reply to Honza Bambas (:mayhemer) from comment #34)
> and, that bit (both redirectTo and redirectUpgrade being called on a single
> channel) has to be discussed before landing this.
My intention is that either will throw if the other was called, making them mutually exclusive. It does however, allow one to first upgrade, then on the new channel do a redirect (or visa-verse). You'll see that in the test in the upcoming patch.
Comment hidden (mozreview-request) |
Assignee | ||
Comment 40•7 years ago
|
||
Comment on attachment 8843518 [details]
Bug 1149250 add support for https upgrades from webextensions,
Still only requesting f? until we resolve any behavior issues between upgradeToSecure and redirectTo.
In the channel I've made them mutually exclusive, first wins.
In webrequest, if both are returned from the listener, upgrade wins. I'd rather choose secure channel of not.
On item of note is that, you can first upgrade the channel, then on the new channel you can redirect. That is illustrated in the test file.
Attachment #8843518 -
Flags: feedback?(kmaglione+bmo)
Attachment #8843518 -
Flags: feedback?(honzab.moz)
Assignee | ||
Comment 41•7 years ago
|
||
I'd rather choose secure channel *over* not.
Reporter | ||
Comment 42•7 years ago
|
||
(In reply to Shane Caraveo (:mixedpuppy) from comment #36)
> Comment on attachment 8843518 [details]
> Bug 1149250 upgrade to https
>
> https://reviewboard.mozilla.org/r/117226/#review203370
>
> > a blank line before this line
>
> I'm not clear on this request, I formated as everything else in this file is
> formatted.
Sorry, overlook, it's because I didn't have my second coffee by that time :)
>
> > so, secure upgrade takes precedence over redirectTo, is this according the spec? is this what we want? and is this documented in our (web)idls properly?
>
> They are mutually exclusive in httpchannel. At the webrequest level we'll
> prefer the upgrade over the redirect.
so, when I meant to 'discuss' this, I meant to carry this outside this bug. if this is not clearly specified - is there even a spec for this bit or is it firefox/gecko specific? - then it has to be specified SOMEWHERE (SW spec/MDN at least) and before it's written down, it has to be brought to a wider audience, which means web developers and people involved in writing specs.
the outcome may be to invent a yet different api for this.
btw, when I call redirectTo multiple times, what happens?
I personally think redirect is stronger. if it targets a non-secure url, the extension will likely capture the new channel again and instruct it to 'update to HTTPS' using the second method that time, if found desired.
Reporter | ||
Comment 43•7 years ago
|
||
(In reply to Honza Bambas (:mayhemer) from comment #42)
> it has to be brought to a
> wider audience, which means web developers and people involved in writing
> specs.
I mean to give them a chance to review or comment on this this api.
Assignee | ||
Comment 44•7 years ago
|
||
(In reply to Honza Bambas (:mayhemer) from comment #43)
> (In reply to Honza Bambas (:mayhemer) from comment #42)
> > it has to be brought to a
> > wider audience, which means web developers and people involved in writing
> > specs.
>
> I mean to give them a chance to review or comment on this this api.
This is firefox specific so I'm not certain about why we'd need specs on it. To my understanding ChannelWrapper is only available to privileged code, it was written specifically for webextensions performance reasons. It is also only used internally, not exposed to extensions. So the "api" exposed is just an ability to set the flag from WebRequest.onBeforeRequest as illustrated in the test. Kris may have better insight to that.
Assignee | ||
Comment 45•7 years ago
|
||
I can change to having redirectTo have precedence in webrequest, but is that what we want in nsHttpChannel?
Assignee | ||
Comment 46•7 years ago
|
||
(In reply to Honza Bambas (:mayhemer) from comment #42)
> (In reply to Shane Caraveo (:mixedpuppy) from comment #36)
> >
> > > so, secure upgrade takes precedence over redirectTo, is this according the spec? is this what we want? and is this documented in our (web)idls properly?
This is an internal api, not part of any spec.
> btw, when I call redirectTo multiple times, what happens?
Up until the redirect actually happens, the last call wins.
> I personally think redirect is stronger. if it targets a non-secure url,
> the extension will likely capture the new channel again and instruct it to
> 'update to HTTPS' using the second method that time, if found desired.
The last patch I pushed makes them mutually exlusive. If someone calls redirectTo then someone calls upgradeToSecure, the latter call will fail (and visa-verse). This is all internal use, so I feel like it's really about how we prefer these to work. We could always make redirectTo unset the upgrade flag, and have upgradeToSecure always fail if redirectTo was previously called.
Reporter | ||
Comment 47•7 years ago
|
||
I thought the changes to ChannelWrapper.webidl were public. If not, then we just want to come to a consensus from parties effected by each particular change.
ni? me for how httpchannel should behave in necko.
Flags: needinfo?(honzab.moz)
Comment 48•7 years ago
|
||
(In reply to Shane Caraveo (:mixedpuppy) from comment #40)
> Comment on attachment 8843518 [details]
> Bug 1149250 upgrade to https
>
> Still only requesting f? until we resolve any behavior issues between
> upgradeToSecure and redirectTo.
>
> In the channel I've made them mutually exclusive, first wins.
>
> In webrequest, if both are returned from the listener, upgrade wins. I'd
> rather choose secure channel of not.
>
> On item of note is that, you can first upgrade the channel, then on the new
> channel you can redirect. That is illustrated in the test file.
What if multiple listeners return results? If we have a request for "http://example.com/", and one listener returns:
{upgradeToSecure: true}
and another returns:
{redirectUrl: "https://captive-portal.to/"}
arguably we want to redirect to the captive portal, not upgrade to https, even if the listener may get another chance after the redirect. There's also the possibility that the upgrade won't actually take place. The fact that we return from the modification loop at this point means that any subsequent modification attempts will be ignored in the case of a failed upgrade.
(In reply to Honza Bambas (:mayhemer) from comment #47)
> I thought the changes to ChannelWrapper.webidl were public. If not, then we
> just want to come to a consensus from parties effected by each particular
> change.
It's only exposed to chrome-privileged code. It's public in the sense that it should be available to any gecko code that needs fast JS access to channels, but it's currently only used by the WebExtensions framework.
Assignee | ||
Comment 49•7 years ago
|
||
Well, the other option is just let both be set and not worry about any error for that case. If both are set during onBeforeRequest (on-modify) redirectUrl will take precedence and upgradeToSecure would have no effect.
Comment 50•7 years ago
|
||
(In reply to Shane Caraveo (:mixedpuppy) from comment #49)
> Well, the other option is just let both be set and not worry about any error
> for that case. If both are set during onBeforeRequest (on-modify)
> redirectUrl will take precedence and upgradeToSecure would have no effect.
That sounds like the correct approach to me.
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Reporter | ||
Comment 53•7 years ago
|
||
(In reply to Kris Maglione [:kmag] (long backlog; ping on IRC if you're blocked) from comment #50)
> (In reply to Shane Caraveo (:mixedpuppy) from comment #49)
> > Well, the other option is just let both be set and not worry about any error
> > for that case. If both are set during onBeforeRequest (on-modify)
> > redirectUrl will take precedence and upgradeToSecure would have no effect.
>
> That sounds like the correct approach to me.
Yes! I agree. This is how I would prefer it in http channel too. There is no need to throw errors from the setters, just let both set.
Make sure everything is correctly LOG()'ed/ I believe mostly it already is, but please double check your new code paths! That way when something goes wrong we known why.
Thanks.
Flags: needinfo?(honzab.moz)
Assignee | ||
Comment 54•7 years ago
|
||
Comment on attachment 8843518 [details]
Bug 1149250 add support for https upgrades from webextensions,
I think the current patch should be fine, so moving to review. Honza for the netwerk channel changes, Kris for the web-ext changes.
Attachment #8843518 -
Flags: review?(kmaglione+bmo)
Attachment #8843518 -
Flags: review?(honzab.moz)
Reporter | ||
Comment 55•7 years ago
|
||
mozreview-review |
Comment on attachment 8843518 [details]
Bug 1149250 add support for https upgrades from webextensions,
https://reviewboard.mozilla.org/r/117226/#review207790
::: commit-message-d6ae6:1
(Diff revision 6)
> +Bug 1149250 upgrade to https
defnitely needs an update ;)
Attachment #8843518 -
Flags: review?(honzab.moz) → review+
Assignee | ||
Comment 56•7 years ago
|
||
Comment on attachment 8843518 [details]
Bug 1149250 add support for https upgrades from webextensions,
bz for webidl changes
rpl for webextension changes
Attachment #8843518 -
Flags: review?(lgreco)
Attachment #8843518 -
Flags: review?(kmaglione+bmo)
Attachment #8843518 -
Flags: review?(bzbarsky)
Comment hidden (mozreview-request) |
Comment 58•7 years ago
|
||
mozreview-review |
Comment on attachment 8843518 [details]
Bug 1149250 add support for https upgrades from webextensions,
https://reviewboard.mozilla.org/r/117226/#review210688
r=me on the webidl bits with the nits below addressed.
::: dom/webidl/ChannelWrapper.webidl:82
(Diff revision 7)
> void redirectTo(URI url);
>
> + /**
> + * Upgrades the wrapped HTTP channel to a secure request. For other channel
> + * types, this method will throw. The redirect is an internal redirect, and
> + * the behavior is the same as nsIHttpChannel.upgradeToSecure. Setting this
Extra space before "behavior"?
::: dom/webidl/ChannelWrapper.webidl:83
(Diff revision 7)
>
> + /**
> + * Upgrades the wrapped HTTP channel to a secure request. For other channel
> + * types, this method will throw. The redirect is an internal redirect, and
> + * the behavior is the same as nsIHttpChannel.upgradeToSecure. Setting this
> + * flag is only effective during or before http-on-modify-request. Setting
Is http-on-modify-request a thing that consumers of this API are expected to deal with? If not, is there a webextension concept we should be using here?
::: netwerk/protocol/http/HttpBaseChannel.cpp:2219
(Diff revision 7)
> +{
> + // We cannot upgrade after OnStartRequest of the listener
> + // has been called, since to redirect we have to switch channels
> + // and the dance with OnStartRequest et al has to start over.
> + // This would break the nsIStreamListener contract.
> + NS_ENSURE_FALSE(mOnStartRequestCalled, NS_ERROR_NOT_AVAILABLE);
This is a much weaker check than "during or before on-modify-request"... In particular, this seems like it would not throw if called during on-examine-response, no? That doesn't seem to be how the API described the behavior...
Attachment #8843518 -
Flags: review?(bzbarsky) → review+
Assignee | ||
Comment 59•7 years ago
|
||
(In reply to Boris Zbarsky [:bz] (no decent commit message means r-) from comment #58)
> Comment on attachment 8843518 [details]
> ::: dom/webidl/ChannelWrapper.webidl:83
> (Diff revision 7)
> >
> > + /**
> > + * Upgrades the wrapped HTTP channel to a secure request. For other channel
> > + * types, this method will throw. The redirect is an internal redirect, and
> > + * the behavior is the same as nsIHttpChannel.upgradeToSecure. Setting this
> > + * flag is only effective during or before http-on-modify-request. Setting
>
> Is http-on-modify-request a thing that consumers of this API are expected to
> deal with? If not, is there a webextension concept we should be using here?
Removing that terminology from the webidl and placing it into base channel below.
> ::: netwerk/protocol/http/HttpBaseChannel.cpp:2219
> (Diff revision 7)
> > +{
> > + // We cannot upgrade after OnStartRequest of the listener
> > + // has been called, since to redirect we have to switch channels
> > + // and the dance with OnStartRequest et al has to start over.
> > + // This would break the nsIStreamListener contract.
> > + NS_ENSURE_FALSE(mOnStartRequestCalled, NS_ERROR_NOT_AVAILABLE);
>
> This is a much weaker check than "during or before on-modify-request"... In
> particular, this seems like it would not throw if called during
> on-examine-response, no? That doesn't seem to be how the API described the
> behavior...
That was a copy/pase comment, fixed it. It's actually not important to throw here at all, as there is only one place where the flag will have any affect, so this has to be called before or during http-on-modify-request. Setting it afterwards has no side affect like the redirect does.
Comment hidden (mozreview-request) |
Assignee | ||
Comment 61•7 years ago
|
||
Honza, I've removed the mOnStartRequestCalled check, see comment 59. Because this flag will have no effect at a late stage of the request like redirects can, this is unnecessary.
Flags: needinfo?(honzab.moz)
Comment 62•7 years ago
|
||
mozreview-review |
Comment on attachment 8843518 [details]
Bug 1149250 add support for https upgrades from webextensions,
https://reviewboard.mozilla.org/r/117226/#review211412
r+ (with some small nits, and a note about improving the errors reported from WebRequest.jsm in followups).
::: dom/webidl/ChannelWrapper.webidl:82
(Diff revision 8)
> void redirectTo(URI url);
>
> + /**
> + * Requests an upgrade of the HTTP channel to a secure request. For other channel
> + * types, this method will throw. The redirect is an internal redirect, and
> + * the behavior is the same as nsIHttpChannel.upgradeToSecure. Setting this
Nit, there are 2 spaces between "the" and "behavior".
::: dom/webidl/ChannelWrapper.webidl:85
(Diff revision 8)
> + * Requests an upgrade of the HTTP channel to a secure request. For other channel
> + * types, this method will throw. The redirect is an internal redirect, and
> + * the behavior is the same as nsIHttpChannel.upgradeToSecure. Setting this
> + * flag is only effective during the WebRequest.onBeforeRequest in
> + * Web Extensions, calling this at any other point during the request will
> + * have no effect. Setting this flag in addition to calling redirectTo
Nit, there are 2 spaces also here (between "." and "Setting").
::: netwerk/protocol/http/nsIHttpChannel.idl:451
(Diff revision 8)
>
> /**
> + * Flags a channel to be upgraded to HTTPS.
> + *
> + * Upgrading to a secure channel must happen before or during
> + * "http-on-modify-request". If redirectTo is called early as well, it
Nit, There are 2 spaces between "." and "If".
::: toolkit/components/extensions/schemas/web_request.json:156
(Diff revision 8)
> "description": "Only used as a response to the onBeforeRequest and onHeadersReceived events. If set, the original request is prevented from being sent/completed and is instead redirected to the given URL. Redirections to non-HTTP schemes such as data: are allowed. Redirects initiated by a redirect action use the original request method for the redirect, with one exception: If the redirect is initiated at the onHeadersReceived stage, then the redirect will be issued using the GET method."
> },
> + "upgradeToSecure": {
> + "type": "boolean",
> + "optional": true,
> + "description": "Only used as a response to the onBeforeRequest event. If set, the original request is prevented from being sent/completed and is instead redirected to a secure request. If this or another extension returns <code>redirectUrl</code> during onBeforeRequest, <code>upgradeToSecure</code> will have no affect."
Nit, how about "is instead upgraded to a secure request" instead of "is instead redirected..."?
::: toolkit/components/extensions/test/mochitest/test_ext_webrequest_upgrade.html:22
(Diff revision 8)
> + let extension = ExtensionTestUtils.loadExtension({
> + manifest: {
> + permissions: [
> + "webRequest",
> + "webRequestBlocking",
> + "<all_urls>",
Nit, it seems that this permission could be restricted to the "mochi.test" urls instead of being <all_urls> (same for line 63).
::: toolkit/components/extensions/test/mochitest/test_ext_webrequest_upgrade.html:27
(Diff revision 8)
> + "<all_urls>",
> + ],
> + },
> + background() {
> + browser.webRequest.onSendHeaders.addListener((details) => {
> + browser.test.log(`onSendHeaders ${details.requestId} ${details.url}`);
Nit, this logged message (and the ones at line 35) are not present in the other test from this file, I guess that they were helpful while working on this patch and we can remove them.
::: toolkit/modules/addons/WebRequest.jsm:823
(Diff revision 8)
> return;
> } catch (e) {
> Cu.reportError(e);
> }
> }
> + if (result.upgradeToSecure && kind === "opening") {
Nit, we could add one empty line between the previous block and the newly added if block.
::: toolkit/modules/addons/WebRequest.jsm:827
(Diff revision 8)
> }
> + if (result.upgradeToSecure && kind === "opening") {
> + try {
> + channel.upgradeToSecure();
> + } catch (e) {
> + Cu.reportError(e);
If I'm not reading it wrong, the errors that we are going to log here are not going to provide enough useful information to help an addon developer to understand which was the request that raised the exception and which was the extension that was trying to upgrade it to a secure channel.
(Nevertheless, it also looks that the errors reported at line 820 have probably the same issue, and so it sounds reasonable to me if we look into improving the errors reported from WebRequest.jsm as a separate follow-up issue).
Attachment #8843518 -
Flags: review?(lgreco) → review+
Comment hidden (mozreview-request) |
Assignee | ||
Comment 64•7 years ago
|
||
mozreview-review-reply |
Comment on attachment 8843518 [details]
Bug 1149250 add support for https upgrades from webextensions,
https://reviewboard.mozilla.org/r/117226/#review211412
> If I'm not reading it wrong, the errors that we are going to log here are not going to provide enough useful information to help an addon developer to understand which was the request that raised the exception and which was the extension that was trying to upgrade it to a secure channel.
>
> (Nevertheless, it also looks that the errors reported at line 820 have probably the same issue, and so it sounds reasonable to me if we look into improving the errors reported from WebRequest.jsm as a separate follow-up issue).
Actually, thowing an exception was removed lower level, so I've removed that from this.
Comment hidden (mozreview-request) |
Reporter | ||
Comment 66•7 years ago
|
||
(In reply to Shane Caraveo (:mixedpuppy) from comment #61)
> Honza, I've removed the mOnStartRequestCalled check, see comment 59.
> Because this flag will have no effect at a late stage of the request like
> redirects can, this is unnecessary.
Hmm.. so when you call this too late (so that it won't take effect) the consumer has no chance to know that..
That doesn't seem right to me, we are trying to keep the consumer informed when such "modify the channel behavior" APIs is misused. I think if you just update the idl comments this check could stay, but if you are ok with silently ignoring the action, it's up to you.
Flags: needinfo?(honzab.moz)
Assignee | ||
Comment 67•7 years ago
|
||
(In reply to Honza Bambas (:mayhemer) from comment #66)
> (In reply to Shane Caraveo (:mixedpuppy) from comment #61)
> > Honza, I've removed the mOnStartRequestCalled check, see comment 59.
> > Because this flag will have no effect at a late stage of the request like
> > redirects can, this is unnecessary.
>
> Hmm.. so when you call this too late (so that it won't take effect) the
> consumer has no chance to know that..
>
> That doesn't seem right to me, we are trying to keep the consumer informed
> when such "modify the channel behavior" APIs is misused. I think if you
> just update the idl comments this check could stay, but if you are ok with
> silently ignoring the action, it's up to you.
With that check, it would still be silently ignored if set between the on-modify notification and before the response is started. I think that is less desirable. The only way we can be accurate is to add another flag that is set after the upgrade block in nsHttpChannel::OnBeforeConnect. I'm fine with either a silent ignore or adding the flag.
Flags: needinfo?(honzab.moz)
Comment hidden (mozreview-request) |
Assignee | ||
Comment 69•7 years ago
|
||
Comment on attachment 8843518 [details]
Bug 1149250 add support for https upgrades from webextensions,
Honza, asking r? again for the addition of the new flag. I'm added an internal mUpgradeable flag that is set to false where we handle the upgrade. UpgradeToSecure will throw if that is false.
Flags: needinfo?(honzab.moz)
Attachment #8843518 -
Flags: review+ → review?(honzab.moz)
Reporter | ||
Comment 70•7 years ago
|
||
mozreview-review |
Comment on attachment 8843518 [details]
Bug 1149250 add support for https upgrades from webextensions,
https://reviewboard.mozilla.org/r/117226/#review212302
r+ with the comments addressed, thanks!
::: netwerk/protocol/http/HttpBaseChannel.h:655
(Diff revisions 10 - 11)
> bool mOnStartRequestCalled;
> bool mOnStopRequestCalled;
>
> + // Defaults to true. This is set to false when it is no longer possible
> + // to upgrade the request.
> + bool mUpgradeable;
make it a bit field please (unless this is accessed on multiple threads, which would need to be atomic or locked) and rename to mUpgradableToSecure
Attachment #8843518 -
Flags: review?(honzab.moz) → review+
Reporter | ||
Comment 71•7 years ago
|
||
mozreview-review |
Comment on attachment 8843518 [details]
Bug 1149250 add support for https upgrades from webextensions,
https://reviewboard.mozilla.org/r/117226/#review212304
::: netwerk/protocol/http/HttpBaseChannel.h:654
(Diff revisions 10 - 11)
> // OnStopRequest more than once.
> bool mOnStartRequestCalled;
> bool mOnStopRequestCalled;
>
> + // Defaults to true. This is set to false when it is no longer possible
> + // to upgrade the request.
in general 'upgrade' alone is too general, always use 'upgrade to secure' (hence, please also update this comment) thanks.
Comment hidden (mozreview-request) |
Comment 73•7 years ago
|
||
Pushed by mixedpuppy@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/8475e73ada98
add support for https upgrades from webextensions, r=bz,mayhemer,rpl
Comment 74•7 years ago
|
||
bugherder |
Status: NEW → RESOLVED
Closed: 8 years ago → 7 years ago
status-firefox59:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla59
Assignee | ||
Updated•7 years ago
|
Keywords: dev-doc-needed
Comment 75•7 years ago
|
||
Retested and reproduced on Windows 10 64Bit, Firefox 59.0a1 (20180103100101) using the steps from https://bugzilla.mozilla.org/show_bug.cgi?id=1149250#c26.
Reopening issue.
Assignee: mixedpuppy → marius.santa
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Updated•7 years ago
|
Assignee: marius.santa → mixedpuppy
Comment 76•7 years ago
|
||
But does this add-on [1] use "upgradeToSecure"? No?
I have looked at the source of this add-on [1] but it seems that it is not using upgradeToSecure [2]?
[1] https://www.eff.org/files/https-everywhere-test/https-everywhere-2017.7.21.1338-eff.xpi
[2] https://reviewboard.mozilla.org/r/117226/diff/12#15
Flags: needinfo?(marius.santa)
Comment 77•7 years ago
|
||
Please verify that https://www.eff.org/files/https-everywhere-test/https-everywhere-2017.7.21.1338-eff.xpi uses "upgradeToSecure" and if not please provide a webext that does in order to perform manual testing on the issue.
Flags: needinfo?(marius.santa) → needinfo?(mixedpuppy)
Assignee | ||
Updated•7 years ago
|
Status: REOPENED → RESOLVED
Closed: 7 years ago → 7 years ago
Flags: needinfo?(mixedpuppy) → qe-verify-
Resolution: --- → FIXED
Comment 78•7 years ago
|
||
I've added this to https://developer.mozilla.org/en-US/Add-ons/WebExtensions/API/webRequest/BlockingResponse, please let me know if this covers it.
Flags: needinfo?(mixedpuppy)
Assignee | ||
Comment 79•7 years ago
|
||
lgtm
Flags: needinfo?(mixedpuppy)
Keywords: dev-doc-needed → dev-doc-complete
Updated•6 years ago
|
Product: Toolkit → WebExtensions
You need to log in
before you can comment on or make changes to this bug.
Description
•