Closed Bug 1194847 Opened 9 years ago Closed 9 years ago

Synthesized responses shouldn't be subject to CORS checks

Tracking

()

Status:

RESOLVED FIXED

Milestone:

mozilla43

Tracking Flags:

Tracking

Status

firefox43

---

fixed

People

(Reporter: jdm, Assigned: ehsan.akhgari)

References

Details

Attachments

(2 files)

Part 1: Make it possible to tell whether the response of a channel has been synthesized; r=michal 9 years ago (no longer active) 5.24 KB, patch	michal : review+	Details \| Diff \| Splinter Review
Part 2: Bypass CORS checks if the response of a channel has been synthesized 9 years ago (no longer active) 1.32 KB, patch	nsm : review+	Details \| Diff \| Splinter Review

Josh Matthews [:jdm]

Reporter

Description

•

9 years ago

<img src="http://cross.origin" crossOrigin="anonymous"> causes nsCORSListenerProxy::CheckRequestApproved to fail if the response doesn't include the Access-Control-Allow-Origin header, for example. If this response is synthesized by a service worker, rather than coming from the network, we should not perform such checks. This is tested by fetch-canvas-tainting.https.html and fails in a trunk build.

Josh Matthews [:jdm]

Reporter

Updated

•

9 years ago

Blocks: 1194848

Josh Matthews [:jdm]

Reporter

Updated

•

9 years ago

Blocks: ServiceWorkers-v1

(no longer active)

Assignee

Updated

•

9 years ago

Assignee: nobody → ehsan

(no longer active)

Assignee

Comment 1

•

9 years ago

Attached patch Part 1: Make it possible to tell whether the response of a channel has been synthesized; r=michal — Details — Splinter Review

(no longer active)

Assignee

Comment 2

•

9 years ago

Attached patch Part 2: Bypass CORS checks if the response of a channel has been synthesized — Details — Splinter Review

Attachment #8649486 - Flags: review?(jonas)

(no longer active)

Assignee

Updated

•

9 years ago

Attachment #8649485 - Flags: review?(michal.novotny)

(no longer active)

Assignee

Comment 3

•

9 years ago

Please note that this will be tested with bug 1194848.

Jonas Sicking (:sicking) No longer reading bugmail consistently

Comment 4

•

9 years ago

Attachment #8649486 - Flags: review?(jonas)

Jonas Sicking (:sicking) No longer reading bugmail consistently

Comment 5

•

9 years ago

Shouldn't a same-origin response get the same treatment? In general it seems to me that the distinction is "readable vs. opaque", not "synthesized vs. loaded from the network".

(no longer active)

Assignee

Comment 6

•

9 years ago

Comment on attachment 8649486 [details] [diff] [review] Part 2: Bypass CORS checks if the response of a channel has been synthesized Nikhil, see comment 5 please.

Attachment #8649486 - Flags: review?(nsm.nikhil)

Nikhil Marathe [:nsm] (No longer reading bugmail, please needinfo?)

Comment 7

•

9 years ago

Comment on attachment 8649486 [details] [diff] [review] Part 2: Bypass CORS checks if the response of a channel has been synthesized Review of attachment 8649486 [details] [diff] [review]: ----------------------------------------------------------------- Also add a note to ::: dom/security/nsCORSListenerProxy.cpp @@ +547,5 @@ > LogBlockedRequest(aRequest, "CORSRequestNotHttp", nullptr); > return NS_ERROR_DOM_BAD_URI; > } > > + nsCOMPtr<nsIHttpChannelInternal> internal = do_QueryInterface(aRequest); Since preflight requests aren't intercepted by SWs, it is ok to return early here and not validate the synthesized response for a correct preflight response (which is done later in this method). Could you add a very important comment to NS_StartCORSPreflight() near the call ForceNoIntercept() cataloging that if we ever change the situation to allow SWs to intercept preflights then the check this patch introduces is not enough. Thanks!

Attachment #8649486 - Flags: review?(nsm.nikhil) → review+

(no longer active)

Assignee

Comment 8

•

9 years ago

(In reply to Nikhil Marathe [:nsm] (please needinfo?) from comment #7) > Since preflight requests aren't intercepted by SWs, it is ok to return early > here and not validate the synthesized response for a correct preflight > response (which is done later in this method). Could you add a very > important comment to NS_StartCORSPreflight() near the call > ForceNoIntercept() cataloging that if we ever change the situation to allow > SWs to intercept preflights then the check this patch introduces is not > enough. Thanks! Good point, will do. I will also add a MOZ_ASSERT(!mIsPreflight) in the body of this condition for additional safety.

(no longer active)

Assignee

Comment 9

•

9 years ago

ping?

(no longer active)

Assignee

Comment 10

•

9 years ago

Comment on attachment 8649485 [details] [diff] [review] Part 1: Make it possible to tell whether the response of a channel has been synthesized; r=michal Patrick, can you please help review this? Thanks!

Attachment #8649485 - Flags: review?(mcmanus)

Michal Novotny [:michal]

Updated

•

9 years ago

Attachment #8649485 - Flags: review?(michal.novotny) → review+

(no longer active)

Assignee

Comment 11

•

9 years ago

Comment on attachment 8649485 [details] [diff] [review] Part 1: Make it possible to tell whether the response of a channel has been synthesized; r=michal Thanks for the review!

Attachment #8649485 - Flags: review?(mcmanus)

Pulsebot

Comment 12

•

9 years ago

https://hg.mozilla.org/integration/mozilla-inbound/rev/83424672d537 https://hg.mozilla.org/integration/mozilla-inbound/rev/b5988cba3190

Ryan VanderMeulen [:RyanVM]

Comment 13

•

9 years ago

https://hg.mozilla.org/mozilla-central/rev/83424672d537 https://hg.mozilla.org/mozilla-central/rev/b5988cba3190

Status: NEW → RESOLVED

Closed: 9 years ago

status-firefox43: affected → fixed

Resolution: --- → FIXED

Target Milestone: --- → mozilla43

You need to log in before you can comment on or make changes to this bug.