Open
Bug 1310493
Opened 8 years ago
Updated 2 years ago
Add TYPE_PREFETCH constant to nsIContentPolicyBase
Categories
(Core :: DOM: Core & HTML, defect, P3)
Core
DOM: Core & HTML
Tracking
()
NEW
People
(Reporter: jsnajdr, Unassigned)
References
(Blocks 2 open bugs)
Details
Attachments
(1 file)
Add TYPE_PREFETCH constant to nsIContentPolicyBase. Needed for bug 1306004, will be used at two places:
- when NetworkPredictor decides to prefetch a resource and creates a new HttpChannel for it
- when a <link type="prefetch"> is being fetched
Now, both requests will have TYPE_OTHER. The goal is to have the prefetch requests marked as such in devtools netmonitor.
Open questions:
- should there be internal sub-values like TYPE_INTERNAL_PREFETCH_PREDICTOR and TYPE_INTERNAL_PREFETCH_LINK? I think they're not needed
- what value to assign to TYPE_PREFETCH? The first available one, after all the TYPE_INTERNAL_*? Right now, it would be 42 :)
|
||
Comment 1•8 years ago
|
||
Hi Jarda, is this something needed or planned for the next release or months (P2) or more a nice-to-have backlog(P3)? I guess the former, but would like to confirm with you.
Flags: needinfo?(jsnajdr)
Priority: -- → P2
|
Reporter | |
Comment 2•8 years ago
|
||
(In reply to Hsin-Yi Tsai [:hsinyi] from comment #1)
> Hi Jarda, is this something needed or planned for the next release or months
> (P2) or more a nice-to-have backlog(P3)? I guess the former, but would like
> to confirm with you.
I'd like to have it implemented in a timeframe of several weeks at most. I plan to submit a patch myself - I'm only wondering who would be an appropriate reviewer?
Flags: needinfo?(jsnajdr)
|
|
||
Comment 3•8 years ago
|
||
(In reply to Jarda Snajdr [:jsnajdr] from comment #2)
> (In reply to Hsin-Yi Tsai [:hsinyi] from comment #1)
> > Hi Jarda, is this something needed or planned for the next release or months
> > (P2) or more a nice-to-have backlog(P3)? I guess the former, but would like
> > to confirm with you.
>
> I'd like to have it implemented in a timeframe of several weeks at most. I
> plan to submit a patch myself - I'm only wondering who would be an
> appropriate reviewer?
Hi Tanvi and Christoph, you've reviewed several recent changes on nsIContentPolicyBase::TYPE_*. I am wondering if you are the right people to ask for review. If not, do you happen to know who could help Jarda with review here? Thank you!
Flags: needinfo?(tanvi)
Flags: needinfo?(ckerschb)
|
||
Comment 4•8 years ago
|
||
(In reply to Hsin-Yi Tsai [:hsinyi] from comment #3)
> Hi Tanvi and Christoph, you've reviewed several recent changes on
> nsIContentPolicyBase::TYPE_*. I am wondering if you are the right people to
> ask for review. If not, do you happen to know who could help Jarda with
> review here? Thank you!
We are the right people to ask :-) I would be curious to see the code changes for this bug. Generally I am OK with adding TYPE_PREFETCH, which might also be desired for other bugs, e.g. [1]. Looking at the description of this bug though, I am not entirely sure if we can also use TYPE_PREFETCH for prefetches inititaed by the NetworkPredictor. Anyway, once you have a patch ready, flag us for needinfo and we can take it from there.
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1242902#c14
Flags: needinfo?(ckerschb)
| Comment hidden (mozreview-request) |
|
|
Reporter | |
Updated•8 years ago
|
Attachment #8803880 -
Flags: feedback?(ckerschb)
|
|
Reporter | |
Comment 6•8 years ago
|
||
Attached a patch that does the following:
1. Adds TYPE_PREFETCH to nsIContentPolicy
2. Does the necessary dependent changes:
- updates NS_CP_ContentTypeName
- updates static assert at dom/cache/DBSchema.cpp
- updates MapContentPolicyTypeToRequestContext in dom/fetch/InternalRequest
- updates dom/security/nsContentSecurityManager and nsMixedContentBlocker
- updates kTypeString array in extensions/permissions/nsContentBlocker
Questions:
- is the change in extensions/permissions/nsContentBlocker necessary? I'm not sure
- I found out that I need to update dom/security/nsContentSecurityManager and nsMixedContentBlocker only after debug version started crashing on MOZ_ASSERT. Are there any other places like this?
3. Passes TYPE_PREFETCH instead of TYPE_OTHER to channel constructor in netwerk/base/Predictor.cpp and uriloader/prefetch/nsPrefetchService.cpp.
4. Updates Netmonitor in devtools to show "prefetch" as tge cause of TYPE_PREFETCH requests.
|
|
||
Comment 7•8 years ago
|
||
Comment on attachment 8803880 [details]
Bug 1310493 - Add TYPE_PREFETCH constant to nsIContentPolicyBase
(In reply to Jarda Snajdr [:jsnajdr] from comment #6)
> Attached a patch that does the following:
Thanks for providing the description in addition to the patch. That all looks pretty good to me.
> Questions:
> - is the change in extensions/permissions/nsContentBlocker necessary?
I am not certain whether we necessarily need those changes, but I would rather lean towards yes than no.
> - I found out that I need to update dom/security/nsContentSecurityManager
> and nsMixedContentBlocker only after debug version started crashing on
> MOZ_ASSERT. Are there any other places like this?
Browsing through the code I found [1]. TYPE_PREFETCH should also be governed by default-src (at least for now because prefetch requests of TYPE_OTHER would also fall into that directive).
Moving forward I would suggest that we get a network peer to have a quick look at it (probably Nicholas Hurley). I can sign off on the security implications of this change. The only thing left would be the changes witin: extensions/permissions/nsContentBlocker.cpp. I don't know who could help us with that to be honest.
[1] https://dxr.mozilla.org/mozilla-central/source/dom/security/nsCSPUtils.cpp#251
Attachment #8803880 -
Flags: feedback?(ckerschb) → feedback+
|
||
Comment 8•8 years ago
|
||
| mozreview-review | ||
Comment on attachment 8803880 [details]
Bug 1310493 - Add TYPE_PREFETCH constant to nsIContentPolicyBase
https://reviewboard.mozilla.org/r/88086/#review89452
::: dom/security/nsMixedContentBlocker.cpp:476
(Diff revision 1)
> // TYPE_XMLHTTPREQUEST: XHR requires either same origin or CORS, so most
> // mixed-content XHR will already be blocked by that check. This will also
> // block HTTPS-to-HTTP XHR with CORS. The same security concerns mentioned
> // above for WebSockets apply to XHR, and XHR should have the same security
> // properties as WebSockets w.r.t. mixed content. XHR's handling of redirects
> // amplifies these concerns.
Please add a comment for TYPE_PREFETCH here.
|
|
||
Updated•8 years ago
|
Flags: needinfo?(tanvi)
|
||
Comment 9•6 years ago
|
||
Moving to p3 because no activity for at least 1 year(s).
See https://github.com/mozilla/bug-handling/blob/master/policy/triage-bugzilla.md#how-do-you-triage for more information
Priority: P2 → P3
|
Assignee | |
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•