Open Bug 1149835 Opened 10 years ago Updated 2 years ago

Debugger sends wrong cookies when requesting inline JavaScript source

Categories

(DevTools :: Debugger, defect, P3)

Product:
DevTools
Component:
Debugger
Version:
36 Branch
Platform:
x86
Windows 7
Type:
defect

Tracking

(Not tracked)

People

(Reporter: u535559, Unassigned)

References

(Blocks 2 open bugs)

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; rv:36.0) Gecko/20100101 Firefox/36.0 Build ID: 20150320202338 Steps to reproduce: 1. Go to Options > Privacy > History and ensure this setting is set to 'Remember history'. 2. Go to any web resource that requires authorisation (eg. Gmail) and login. 3. Open Developer Tools > Debugger and choose the inline source (ie. the source with the same name as the lowest-level URL path element). 4. Observe that the source retrieved is the same that would be retrieved with correct authentication. 5. Go to Options > Privacy > History and set to 'Never remember history'. Firefox will be required to restart. 6. Go to the same web resource loaded in step 2 and login. 7. (repeat step 3) Open Developer Tools > Debugger and choose the inline source (ie. the source with the same name as the lowest-level URL path element). 8. Observe that the source retrieved is some sort of login page / resource not found page due to different cookies being sent with the request. Actual results: With Options > Privacy > History set to 'Never remember history', it is impossible to step through inline sources of pages that require authentication due to the incorrect session cookie (and other cookies) being sent with the request for source. Expected results: The same session cookie (and other cookies) used to load the page should be sent with any request for JavaScript source.
Severity: normal → minor
Component: Untriaged → Developer Tools: Debugger
Makes me wonder if this is related to Bug 1060732 — that is, should Firefox not show the JavaScript source files as held in RAM, instead of making fresh requests? I am not sure that this problem is specific to privacy, but rather part of a larger issue that the debugger is not attempting to debug the page as displayed. Resolving Bug 1060732 may actually clear this bug as well.
(In reply to Daniel Beardsmore from comment #1) > Makes me wonder if this is related to Bug 1060732 — that is, should Firefox > not show the JavaScript source files as held in RAM, instead of making fresh > requests? > > I am not sure that this problem is specific to privacy, but rather part of a > larger issue that the debugger is not attempting to debug the page as > displayed. Resolving Bug 1060732 may actually clear this bug as well. Yes, I believe it should. This is particularly problematic for websites that don't have an idempotent GET ie. some other side-effect (such as auditing) occurs after re-requesting the same resource. I had a look at 1060732, but I'm a little concerned that that bug has now degenerated from "It's the fact that it re-requests the page that's bad" to "it's the fact that it re-requests a POST as a GET that's bad" in the comments section. Feel free to mark it as a duplicate, but I'm a little uneasy about doing so for this reason.
I am seeing this same issue on firefox 50.1.0 on Fedora 25. Before I read this bug report I was not able to debug javascript on a site I am developing because it would load the login page instead of the page I needed to debug. I assumed because it didn't keep the cookies needed for authentication. Once I changed my privacy setting to "remember history" from custom it now loads the correct page to debug. Note that the custom setting was only used to prevent third party cookies. So it looks like firefox is treating debugger loaded cookies as third party. Note this is a problem for both the builtin debugger and firebug. I found that if I go back to the custom histroy setting and specifically allow an exception for cookies for the specific site I am working on, the correct page gets loaded. So I have a relatively safe work around.
Product: Firefox → DevTools

Honza, is this still relevant?

Flags: needinfo?(odvarko)

It's still relevant for me on macOS Fx 68.0b1 (64-bit).
It even happens when i create and use a new profile.

Thanks for testing.

Blocks: dbg-sources, dbg-source-requests
Flags: needinfo?(odvarko)
Priority: -- → P3
Summary: Developer Tools: JavaScript debugger sends wrong cookies when requesting inline JavaScript source → Debugger sends wrong cookies when requesting inline JavaScript source

I am surprised and disappointed to see this has been given a severity of minor.

I am seeing this same issue regardless of whether or not I have Firefox set to save the search history. This is happening in both the current versions of the standard Firefox browser and the developer edition.

I am not able to use Firefox's debugger for inline JavaScript on any page that relies on cookie authentication. Chrome handles this just fine and has for the entire lifetime of this ticket.

Brian, with the ongoing fixes for sources; is there a related bug that would address this inline script request issue?

Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(bhackett1024)

(In reply to :Harald Kirschner :digitarald from comment #9)

Brian, with the ongoing fixes for sources; is there a related bug that would address this inline script request issue?

If the devtools are open when the page is being loaded or reloaded, the correct HTML contents should be shown. There is a bug where this won't work for HTML from iframes, however. I've written a fix for that in bug 1591743, but it needs a review.

In order to show useful sources when the devtools are opened on an existing page, we'll need to fix bug 1582266.

Flags: needinfo?(bhackett1024)
Severity: minor → S3
You need to log in before you can comment on or make changes to this bug.