Closed
Bug 1370617
Opened 7 years ago
Closed 7 years ago
browser provided Authorization header exposed to FetchEvent.request in non-e10s mode
Categories
(Core :: DOM: Service Workers, enhancement)
Core
DOM: Service Workers
Tracking
()
RESOLVED
FIXED
mozilla56
Tracking | Status | |
---|---|---|
firefox56 | --- | fixed |
People
(Reporter: bkelly, Assigned: bkelly)
References
(Blocks 1 open bug)
Details
Attachments
(1 file, 1 obsolete file)
While trying to fix some test failures in fetch-response-taint.https.html I discovered that we incorrectly expose the browser provided Authorization header to FetchEvent.request. We only do this in non-e10s mode, though.
Assignee | ||
Comment 1•7 years ago
|
||
I'm going to solve this the same way I did for other headers in bug 1200337.
Depends on: 1200337
Assignee | ||
Comment 2•7 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=f2aa469ad58d87f450cba1dc687167165897dec8
Assignee | ||
Comment 3•7 years ago
|
||
It seems extensions and proxies can override the Authorization header. We should still consider these the "browser default" when it comes to exposing things to the service worker, though. I work around this by have SetWWWCredentials() clear the header before setting it again as the default. https://treeherder.mozilla.org/#/jobs?repo=try&revision=4b6387cf405839269d5ace8c0a5588b11fdfc7c3
Attachment #8874930 -
Attachment is obsolete: true
Assignee | ||
Comment 4•7 years ago
|
||
Comment on attachment 8875393 [details] [diff] [review] Set Authorization header using eVarietyRequestDefault to avoid exposing it to service workers. r=mcmanus Patrick, in non-e10s mode we are exposing the browser-provided Authorization header to service worker FetchEvent handlers. This is a problem we had before with other headers in bug 1200337. We solved it there by using a "default" header type and letting the service worker code only expose non-default values. This patch tries to fix the problem by setting the Authorization header as a "default" value. Unfortunately, its a bit trickier in that proxies and extensions can trigger setting the authorization header more than once. This is a problem because the "default" header values have an assert that they are only set once. To work around this issue this patch removes the header before setting it as the default. I think this is valid because anything calling SetWWWCredentials() is effectively the "browser" from content script's perspective. I'm open to other solutions as well, of course. Thanks!
Attachment #8875393 -
Flags: review?(mcmanus)
Comment 5•7 years ago
|
||
Comment on attachment 8875393 [details] [diff] [review] Set Authorization header using eVarietyRequestDefault to avoid exposing it to service workers. r=mcmanus Review of attachment 8875393 [details] [diff] [review]: ----------------------------------------------------------------- I think this is ok, but let's have dragana take a quick look
Attachment #8875393 -
Flags: review?(mcmanus) → review?(dd.mozilla)
Updated•7 years ago
|
Attachment #8875393 -
Flags: review?(dd.mozilla) → review+
Pushed by bkelly@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/7006eaac1b49 Set Authorization header using eVarietyRequestDefault to avoid exposing it to service workers. r=dragana
Comment 7•7 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/7006eaac1b49
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
status-firefox56:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla56
You need to log in
before you can comment on or make changes to this bug.
Description
•