Allow Accept-Encoding: Brotli on local connections (localhost/127.0.0.1/::1)
Categories
(Core :: Networking: HTTP, defect, P3)
Tracking
()
People
(Reporter: callahad, Assigned: denschub)
References
Details
(Keywords: dev-doc-needed, DevAdvocacy, Whiteboard: [necko-backlog][DevRel:P3])
Attachments
(2 files, 5 obsolete files)
6.66 KB,
patch
|
dragana
:
review+
|
Details | Diff | Splinter Review |
8.42 KB,
patch
|
dragana
:
review+
|
Details | Diff | Splinter Review |
Sending Accept-Encoding with br is currently restricted to secure origins in netwerk/protocol/http/nsHttpHandler.cpp. It would be fantastic if, for testing and development, localhost was exempted from this requirement, in the same way it is for ServiceWorkers in https://dxr.mozilla.org/mozilla-central/source/dom/workers/ServiceWorkerManager.cpp#1415-1419
Comment 1•9 years ago
|
||
That code is moving to a helper in bug 1221365 which could probably be used here.
Comment 2•9 years ago
|
||
when the helper is ready I'm fine with doing this. thanks
Updated•8 years ago
|
Reporter | ||
Updated•8 years ago
|
Updated•8 years ago
|
Updated•8 years ago
|
Updated•8 years ago
|
Comment 3•7 years ago
|
||
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Comment 4•7 years ago
|
||
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Comment 5•5 years ago
|
||
Comment 6•5 years ago
|
||
Comment 7•5 years ago
|
||
Hmm, I don't seem to be able to add dev-doc-needed. Could someone do that for me, please? I think this change, if landed, ought definitely to go in the release notes.
Comment 8•5 years ago
|
||
Comment on attachment 9033701 [details] [diff] [review] 2/2 - enable Brotli on localhost. Review of attachment 9033701 [details] [diff] [review]: ----------------------------------------------------------------- can you also add a comment in modules/libpref/init/all.js next to "network.http.accept-encoding.secure" that this pref is used for http2 and potentially trustworthy url as per nsIContentSecurityManager::isOriginPotentiallyTrustworthy ::: netwerk/protocol/http/HttpBaseChannel.cpp @@ +319,4 @@ > } > } > > +nsresult HttpBaseChannel::IsSecureOrigin(bool *isSecure) { can you change the name of this function to 'IsOriginPotentiallyTrustworthy' and instead of 'isSecure' 'isTrustworthy' I do not want to call it secure, because people may misinterpreted it as http2. @@ +353,4 @@ > // Construct connection info object > nsAutoCString host; > int32_t port = -1; > + bool isSecure = false; can you call this 'isTrustworthy', please. @@ +385,4 @@ > rv = mRequestHead.SetHeader(nsHttp::Host, hostLine); > if (NS_FAILED(rv)) return rv; > > + rv = gHttpHandler->AddStandardRequestHeaders(&mRequestHead, isSecure); in function AddStandardRequestHeaders can you change variable 'isSecure' to be 'isTrustworthy' as well? @@ +1235,4 @@ > break; > } > > + bool isSecure = false; here as well @@ +1239,5 @@ > + > + rv = IsSecureOrigin(&isSecure); > + if (NS_FAILED(rv)) return rv; > + > + if (gHttpHandler->IsAcceptableEncoding(val, isSecure)) { also in function IsAcceptableEncoding
Updated•5 years ago
|
Comment 9•5 years ago
|
||
Rebased. (And also fixed getting the bug number wrong in the commit message, embarrassingly.)
Comment 10•5 years ago
|
||
As suggested, names have been changed to avoid implying security when it's only potential trustworthiness.
Comment 11•5 years ago
|
||
It helps if I actually commit the changes before generating a patch, doesn't it?
Updated•5 years ago
|
Comment 12•5 years ago
|
||
Two questions that've occurred to me since yesterday:
-
If
IsOriginPotentiallyTrustworthy
can't get the principal or the security service, it doesn't setisPotentiallyTrustworthy
at all. Is that the desired behaviour, effectively leaving it up to the caller and expecting them to initialise the variable beforehand? I think I should document that, if so. Alternatively, should it prefer to fail closed? I have no idea under what circumstances those calls can fail. -
This is going to need an intent-to-implement/ship on m.d.platform, right? Would it be appropriate for me to send that, or should that be a Mozilla employee?
Comment 13•5 years ago
|
||
Comment on attachment 9038337 [details] [diff] [review] 1/2 - test accept-encoding behaviour on secure origins Review of attachment 9038337 [details] [diff] [review]: ----------------------------------------------------------------- ::: netwerk/test/mochitests/test_secure_content_encoding.html @@ +14,5 @@ > + > + let response; > + let body; > + > + const SECURE = "Secure headers sent, Brotli encoding used"; can you rename this and also change the comment. there are not secure headers, but rather headers for trustworthy origins.
Comment 14•5 years ago
|
||
Comment on attachment 9038381 [details] [diff] [review] 2/2 - enable Brotli on localhost. Review of attachment 9038381 [details] [diff] [review]: ----------------------------------------------------------------- ::: netwerk/protocol/http/HttpBaseChannel.cpp @@ +326,5 @@ > mFlashPluginState = aState; > } > > +nsresult HttpBaseChannel::IsOriginPotentiallyTrustworthy( > + bool *isPotentiallyTrustworthy) { please set isPotentiallyTrustworthy to false at the beginning og the function. @@ +395,4 @@ > rv = mRequestHead.SetHeader(nsHttp::Host, hostLine); > if (NS_FAILED(rv)) return rv; > > + rv = gHttpHandler->AddStandardRequestHeaders(&mRequestHead, can you also change 'isSecure' to 'isTrustworthy' in the nsHttpHandler::AddStandardRequestHeader function
Comment 15•5 years ago
|
||
(In reply to quasicomputational from comment #12)
Two questions that've occurred to me since yesterday:
- If
IsOriginPotentiallyTrustworthy
can't get the principal or the security service, it doesn't setisPotentiallyTrustworthy
at all. Is that the desired behaviour, effectively leaving it up to the caller and expecting them to initialise the variable beforehand? I think I should document that, if so. Alternatively, should it prefer to fail closed? I have no idea under what circumstances those calls can fail.
we should set it to false at the beginning of IsOriginPotentiallyTrustworthy.
- This is going to need an intent-to-implement/ship on m.d.platform, right? Would it be appropriate for me to send that, or should that be a Mozilla employee?
You can send this as well it does not need to be a Mozilla employee.
Comment 16•5 years ago
|
||
Everything's 'trustworthy' now instead of 'secure', except for the pref name.
Comment 17•5 years ago
|
||
More trustworthification, as well as ensuring the trustworthiness check fails closed instead of fails undefined.
Comment 18•5 years ago
|
||
Comment on attachment 9040956 [details] [diff] [review] 2/2 - enable Brotli on localhost. Review of attachment 9040956 [details] [diff] [review]: ----------------------------------------------------------------- ::: netwerk/protocol/http/HttpBaseChannel.cpp @@ +329,5 @@ > } > > +nsresult HttpBaseChannel::IsOriginPotentiallyTrustworthy( > + bool *isPotentiallyTrustworthy) { > + // Fail closed. What about something like "If cannot get a URIPrincipal we will treated as a not trustworthy origin." ?
Comment 19•5 years ago
|
||
Comment on attachment 9040955 [details] [diff] [review] 1/2 - test accept-encoding behaviour on secure origins Review of attachment 9040955 [details] [diff] [review]: ----------------------------------------------------------------- I have already gave you r+. So if you update a patch that has a r+ you can set r+ by yourself and you do not need to ask for a review again. You should ask for another review when you make significant changes to the patch.
Comment 20•5 years ago
|
||
just got bit by this, is there any update on when this patch to fix brotli support will be merged?
Comment 21•5 years ago
|
||
No, sorry - I don't have the time/patience presently to shepherd it through the process and I don't expect to soon.
I think the patches are in a good state, though! I don't know if they need rebasing now, but if anyone wants to take them up and get them merged, please feel free.
Assignee | ||
Updated•3 years ago
|
Updated•2 years ago
|
Description
•