Add a load info flag for same-origin credentials policy

RESOLVED FIXED in Firefox 45

Status

()

Core
DOM
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: Away for a while, Assigned: sicking)

Tracking

(Depends on: 1 bug, Blocks: 1 bug)

unspecified
mozilla45
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox45 fixed)

Details

Attachments

(1 attachment)

(Reporter)

Description

2 years ago
We have a load info flag for cross origin credentials policy and we need something similar for same origin credentials policy as well.
Assignee: nobody → jonas

Comment 1

2 years ago
Note, it would be nice to have this, but I'm ok not blocking v1 for it.  We don't get credentials quite right, but its close enough for the CORS case.  As far as I can tell we don't introduce any security issues for existing CORS-enabled APIs.

Updated

2 years ago
Blocks: 1226983
Created attachment 8690660 [details] [diff] [review]
patch to fix
Attachment #8690660 - Flags: review?(mozilla)
(Reporter)

Comment 3

2 years ago
Review ping?
Comment on attachment 8690660 [details] [diff] [review]
patch to fix

Review of attachment 8690660 [details] [diff] [review]:
-----------------------------------------------------------------

Nice changes, r=me

::: dom/security/nsContentSecurityManager.cpp
@@ +426,5 @@
> +  // Handle cookie policies
> +  uint32_t cookiePolicy = loadInfo->GetCookiePolicy();
> +  if (cookiePolicy == nsILoadInfo::SEC_COOKIES_SAME_ORIGIN) {
> +    nsIPrincipal* loadingPrincipal = loadInfo->LoadingPrincipal();
> +  

Nit: trailing spaces

::: netwerk/base/nsILoadInfo.idl
@@ +94,5 @@
> +   * equivalent to "SAME_ORIGIN" for SEC_REQUIRE_CORS_DATA_INHERITS mode.
> +   *
> +   * Note that these flags are still subject to the user's cookie policies.
> +   * For example, if the user is blocking 3rd party cookies, those cookies
> +   * will be blocked no matter which of these flags are set.

Maybe we should still keep a bit of information for CORS_WITH_CREDENTIALS, something like, if you want to perform CORS with credentials pass SEC_COOKIES_INCLUDE or something similar.

::: netwerk/protocol/http/nsCORSListenerProxy.cpp
@@ +821,5 @@
>    rv = aChannel->GetOriginalURI(getter_AddRefs(originalURI));
>    NS_ENSURE_SUCCESS(rv, rv);
>  
> +  nsCOMPtr<nsILoadInfo> loadInfo;
> +  aChannel->GetLoadInfo(getter_AddRefs(loadInfo));

nit: you could make this a one liner:
nsCOMPtr<nsILoadInfo> loadInfo = aChannel->GetLoadInfo();

@@ +908,5 @@
> +  // Make cookie-less if needed. We don't need to do anything here if the
> +  // channel wasn't opened with AsyncOpen2, since otherwise AsyncOpen2 will
> +  // take care of the cookie policy for us.
> +  if ((!loadInfo || !loadInfo->GetEnforceSecurity()) &&
> +      !mWithCredentials) {

nit: flip this check and use:
if (!mWithCredentials &&
    (!loadInfo || !loadInfo->GetEnforceSecurity()))
Attachment #8690660 - Flags: review?(mozilla) → review+

Comment 5

2 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/09d64535bcda
Backed out together with bug 1226909 in https://hg.mozilla.org/integration/mozilla-inbound/rev/e648ed99a3a2 for M(1,2,5) failures on all platforms:

Backout job: https://treeherder.mozilla.org/#/jobs?repo=mozilla-inbound&revision=e648ed99a3a2
Failing job: https://treeherder.mozilla.org/#/jobs?repo=mozilla-inbound&revision=09d64535bcda

Failure example: https://treeherder.mozilla.org/logviewer.html#?job_id=18328115&repo=mozilla-inbound

04:32:02     INFO -  463 INFO TEST-START | dom/base/test/test_XHRDocURI.html
04:32:03     INFO -  TEST-INFO | started process screentopng
04:32:06     INFO -  TEST-INFO | screentopng: exit 0
04:32:06     INFO -  <snipped 1 output lines - if you need more context, please use SimpleTest.requestCompleteLog() in your test>
04:32:06     INFO -  464 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong url
04:32:06     INFO -  465 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base
04:32:06     INFO -  466 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (xml:base)
04:32:06     INFO -  467 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong url
04:32:06     INFO -  468 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base
04:32:06     INFO -  469 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (after <base> changed)
04:32:06     INFO -  470 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | should not have document
04:32:06     INFO -  471 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | should not have document
04:32:06     INFO -  472 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | should not have document
04:32:06     INFO -  473 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong url
04:32:06     INFO -  474 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base
04:32:06     INFO -  475 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (xml:base)
04:32:06     INFO -  476 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong url
04:32:06     INFO -  477 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base
04:32:06     INFO -  478 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (after <base> changed)
04:32:06     INFO -  479 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong url
04:32:06     INFO -  480 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base
04:32:06     INFO -  481 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (xml:base)
04:32:06     INFO -  482 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong url
04:32:06     INFO -  483 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base
04:32:06     INFO -  484 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (after <base> changed)
04:32:06     INFO -  485 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | should not have document
04:32:06     INFO -  486 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | should not have document
04:32:06     INFO -  487 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | should not have document
04:32:06     INFO -  488 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong url
04:32:06     INFO -  489 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong url (.documentObjectURI)
04:32:06     INFO -  490 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base
04:32:06     INFO -  491 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (.baseURIObject)
04:32:06     INFO -  492 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (xml:base)
04:32:06     INFO -  493 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (.baseURIObject, xml:base)
04:32:06     INFO -  494 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong url (clone)
04:32:06     INFO -  495 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (clone)
04:32:06     INFO -  496 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong url
04:32:06     INFO -  497 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong url (.documentURIObject)
04:32:06     INFO -  498 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base
04:32:06     INFO -  499 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong url (.baseURIObject)
04:32:06     INFO -  500 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (doc base and xml:base are same)
04:32:06     INFO -  501 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (.baseURIObject, doc base and xml:base are same)
04:32:06     INFO -  502 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong attr base (doc base and xml:base are same)
04:32:06     INFO -  503 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong attr base (.baseURIObject, doc base and xml:base are same)
04:32:06     INFO -  504 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (after <base> changed)
04:32:06     INFO -  505 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (.baseURIObject, after <base> changed)
04:32:06     INFO -  506 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong url (clone)
04:32:06     INFO -  507 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (clone)
04:32:06     INFO -  508 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong url
04:32:06     INFO -  509 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong url (.documentObjectURI)
04:32:06     INFO -  510 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base
04:32:06     INFO -  511 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (.baseURIObject)
04:32:06     INFO -  512 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (xml:base)
04:32:06     INFO -  513 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (.baseURIObject, xml:base)
04:32:06     INFO -  514 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong url (clone)
04:32:06     INFO -  515 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (clone)
04:32:06     INFO -  516 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong url
04:32:06     INFO -  517 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong url (.documentURIObject)
04:32:06     INFO -  518 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base
04:32:06     INFO -  519 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong url (.baseURIObject)
04:32:06     INFO -  520 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (doc base and xml:base are same)
04:32:06     INFO -  521 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (.baseURIObject, doc base and xml:base are same)
04:32:06     INFO -  522 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong attr base (doc base and xml:base are same)
04:32:06     INFO -  523 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong attr base (.baseURIObject, doc base and xml:base are same)
04:32:06     INFO -  524 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (after <base> changed)
04:32:06     INFO -  525 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (.baseURIObject, after <base> changed)
04:32:06     INFO -  526 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong url (clone)
04:32:06     INFO -  527 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (clone)
04:32:06     INFO -  528 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong url
04:32:06     INFO -  529 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong url (.documentObjectURI)
04:32:06     INFO -  530 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base
04:32:06     INFO -  531 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (.baseURIObject)
04:32:06     INFO -  532 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (xml:base)
04:32:06     INFO -  533 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (.baseURIObject, xml:base)
04:32:06     INFO -  534 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong url (clone)
04:32:06     INFO -  535 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (clone)
04:32:06     INFO -  536 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong url
04:32:06     INFO -  537 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong url (.documentURIObject)
04:32:06     INFO -  538 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base
04:32:06     INFO -  539 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong url (.baseURIObject)
04:32:06     INFO -  540 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (doc base and xml:base are same)
04:32:06     INFO -  541 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (.baseURIObject, doc base and xml:base are same)
04:32:06     INFO -  542 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong attr base (doc base and xml:base are same)
04:32:06     INFO -  543 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong attr base (.baseURIObject, doc base and xml:base are same)
04:32:06     INFO -  544 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (after <base> changed)
04:32:06     INFO -  545 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (.baseURIObject, after <base> changed)
04:32:06     INFO -  546 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong url (clone)
04:32:06     INFO -  547 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (clone)
04:32:06     INFO -  548 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong url
04:32:06     INFO -  549 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong url (.documentObjectURI)
04:32:06     INFO -  550 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base
04:32:06     INFO -  551 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (.baseURIObject)
04:32:06     INFO -  552 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (xml:base)
04:32:06     INFO -  553 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (.baseURIObject, xml:base)
04:32:06     INFO -  554 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong url
04:32:06     INFO -  555 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong url (.documentURIObject)
04:32:06     INFO -  556 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base
04:32:06     INFO -  557 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong url (.baseURIObject)
04:32:06     INFO -  558 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (doc base and xml:base are same)
04:32:06     INFO -  559 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (.baseURIObject, doc base and xml:base are same)
04:32:06     INFO -  560 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong attr base (doc base and xml:base are same)
04:32:06     INFO -  561 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong attr base (.baseURIObject, doc base and xml:base are same)
04:32:06     INFO -  562 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (after <base> changed)
04:32:06     INFO -  563 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (.baseURIObject, after <base> changed)
04:32:06     INFO -  564 INFO TEST-UNEXPECTED-FAIL | dom/base/test/test_XHRDocURI.html | wrong url - got "http://mochi.test:8888/tests/dom/base/test/test_XHRDocURI.html", expected "http://example.com/tests/dom/base/test/file_XHRDocURI.xml"
04:32:06     INFO -      SimpleTest.is@SimpleTest/SimpleTest.js:267:5
04:32:06     INFO -      testChromeXMLDocURI@dom/base/test/test_XHRDocURI.html:46:3
04:32:06     INFO -      runTest/xhr.onreadystatechange@dom/base/test/test_XHRDocURI.html:428:5
04:32:06     INFO -      EventHandlerNonNull*runTest@dom/base/test/test_XHRDocURI.html:418:3
04:32:06     INFO -      runTest/xhr.onreadystatechange@dom/base/test/test_XHRDocURI.html:410:7
04:32:06     INFO -      EventHandlerNonNull*runTest@dom/base/test/test_XHRDocURI.html:399:3
04:32:06     INFO -      runTest/xhr.onreadystatechange@dom/base/test/test_XHRDocURI.html:390:7
04:32:06     INFO -      EventHandlerNonNull*runTest@dom/base/test/test_XHRDocURI.html:378:3
04:32:06     INFO -      runTest/xhr.onreadystatechange@dom/base/test/test_XHRDocURI.html:367:7
04:32:06     INFO -      EventHandlerNonNull*runTest@dom/base/test/test_XHRDocURI.html:355:3
04:32:06     INFO -      runTest/xhr.onreadystatechange@dom/base/test/test_XHRDocURI.html:346:7
04:32:06     INFO -      EventHandlerNonNull*runTest@dom/base/test/test_XHRDocURI.html:333:3
04:32:06     INFO -      runTest/xhr.onreadystatechange@dom/base/test/test_XHRDocURI.html:325:7
04:32:06     INFO -      EventHandlerNonNull*runTest@dom/base/test/test_XHRDocURI.html:313:3
04:32:06     INFO -      runTest/xhr.onreadystatechange@dom/base/test/test_XHRDocURI.html:304:7
04:32:06     INFO -      EventHandlerNonNull*runTest@dom/base/test/test_XHRDocURI.html:291:3
04:32:06     INFO -      runTest/xhr.onreadystatechange@dom/base/test/test_XHRDocURI.html:283:7
04:32:06     INFO -      EventHandlerNonNull*runTest@dom/base/test/test_XHRDocURI.html:271:3
04:32:06     INFO -      runTest/xhr.onreadystatechange@dom/base/test/test_XHRDocURI.html:262:7
04:32:06     INFO -      EventHandlerNonNull*runTest@dom/base/test/test_XHRDocURI.html:249:3
04:32:06     INFO -      runTest/xhr.onreadystatechange@dom/base/test/test_XHRDocURI.html:238:7
04:32:06     INFO -      EventHandlerNonNull*runTest@dom/base/test/test_XHRDocURI.html:235:3
04:32:06     INFO -      runTest/xhr.onreadystatechange@dom/base/test/test_XHRDocURI.html:227:7
04:32:06     INFO -      EventHandlerNonNull*runTest@dom/base/test/test_XHRDocURI.html:217:3
04:32:06     INFO -      runTest/xhr.onreadystatechange@dom/base/test/test_XHRDocURI.html:208:7
04:32:06     INFO -      EventHandlerNonNull*runTest@dom/base/test/test_XHRDocURI.html:197:3
04:32:06     INFO -      runTest/xhr.onreadystatechange@dom/base/test/test_XHRDocURI.html:189:7
04:32:06     INFO -      EventHandlerNonNull*runTest@dom/base/test/test_XHRDocURI.html:179:3
04:32:06     INFO -      runTest/xhr.onreadystatechange@dom/base/test/test_XHRDocURI.html:170:7
04:32:06     INFO -      EventHandlerNonNull*runTest@dom/base/test/test_XHRDocURI.html:159:3
04:32:06     INFO -      runTest/xhr.onreadystatechange@dom/base/test/test_XHRDocURI.html:151:7
04:32:06     INFO -      EventHandlerNonNull*runTest@dom/base/test/test_XHRDocURI.html:148:3
04:32:06     INFO -      runTest/xhr.onreadystatechange@dom/base/test/test_XHRDocURI.html:140:7
04:32:06     INFO -      EventHandlerNonNull*runTest@dom/base/test/test_XHRDocURI.html:130:3
04:32:06     INFO -      runTest/xhr.onreadystatechange@dom/base/test/test_XHRDocURI.html:121:7
04:32:06     INFO -      EventHandlerNonNull*runTest@dom/base/test/test_XHRDocURI.html:110:3
04:32:06     INFO -      startTest/<@dom/base/test/test_XHRDocURI.html:34:5
Flags: needinfo?(jonas)

Comment 7

2 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/7b9b0ce58fbf
Flags: needinfo?(jonas)

Comment 8

2 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/7b9b0ce58fbf
Status: NEW → RESOLVED
Last Resolved: 2 years ago
status-firefox45: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla45
Depends on: 1231046
You need to log in before you can comment on or make changes to this bug.