Closed
Bug 1388289
Opened 7 years ago
Closed 7 years ago
When using a proxy, the details.challenger.host provided to the webRequest.onAuthRequired listener contain the host of the requested URL instead of the proxy hostname
Categories
(WebExtensions :: Request Handling, defect, P3)
Tracking
(firefox57 fixed)
RESOLVED
FIXED
mozilla57
| Tracking | Status | |
|---|---|---|
| firefox57 | --- | fixed |
People
(Reporter: tolean.dj, Assigned: mixedpuppy)
References
(Blocks 1 open bug)
Details
(Keywords: dev-doc-complete, Whiteboard: [proxy])
Attachments
(1 file)
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.78 Safari/537.36 Steps to reproduce: Context: VPN (proxy) extension. 1. I've registered a proxy using `browser.proxy.registerProxyScript` https://developer.mozilla.org/en-US/Add-ons/WebExtensions/API/proxy/register (latest docs changed without notice regarding `registerProxyScript`). 2. My script's FindProxyForURL returns `HTTPS my.proxy.tld:443` 3. I've setup a listener for `webRequest.onAuthRequired` like this: `browser.webRequest.onAuthRequired.addListener(onAuthCallback, { urls: ['<all_urls>'] }, ['blocking']);` In the implementation of `onAuthCallback` I am checking whether the challenger is `my.proxy.tld` in order to prevent credential leak/theft to/by some unknown proxy. Here are the relevant lines in my function: ``` let challengerAllowed = false; try { const host = proxyConfig.rules.singleProxy.host; const hostRegex = host.replace('.', '\\.'); const challengerRegex = new RegExp('^' + hostRegex + '$', 'i'); challengerAllowed = challengerRegex.test(details.challenger.host); } catch (e) { console.log('onAuthCallback error caught:', e.message); } return details.isProxy && challengerAllowed ? { authCredentials: credentials } : {}; ``` 4. Make an ajax call to a `my.connectioncheck.tld` in order to trigger the authentication process. Actual results: challengerAllowed is false because `details.challenger.host` contains `my.connectioncheck.tld` instead of `my.proxy.tld` even though `details.isProxy` si true. Expected results: `details.challenger.host` should be `my.proxy.tld`.
Summary: When using a proxy, the details.challenger.host provided to the webRequest.onAuthRequired listener contain the host of the requested URL instead of the proxy hostname even if the isProxy is true → When using a proxy, the details.challenger.host provided to the webRequest.onAuthRequired listener contain the host of the requested URL instead of the proxy hostname
|
||
Updated•7 years ago
|
Component: Untriaged → WebExtensions: Request Handling
Product: Firefox → Toolkit
|
||
Updated•7 years ago
|
|
||
Comment 1•7 years ago
|
||
> When using a proxy, the details.challenger.host provided to the webRequest.onAuthRequired listener contain the host of the > requested URL instead of the proxy hostname This is the documented behavior and is working as designed. From https://developer.mozilla.org/en-US/Add-ons/WebExtensions/API/webRequest/onAuthRequired#details >Warning: Unlike chrome, Firefox will return the requested host instead of the proxy requesting the authentication, even if isProxy is true.
| Comment hidden (mozreview-request) |
|
Assignee | |
Updated•7 years ago
|
Assignee: nobody → mixedpuppy
Status: UNCONFIRMED → NEW
Ever confirmed: true
|
|
Assignee | |
Comment 3•7 years ago
|
||
(In reply to Eric Jung [:ericjung] from comment #1) > >Warning: Unlike chrome, Firefox will return the requested host instead of > the proxy requesting the authentication, even if isProxy is true. I don't know why it was documented like that, this is a bug.
Keywords: dev-doc-needed
|
|
Assignee | |
Comment 4•7 years ago
|
||
Comment on attachment 8898589 [details] Bug 1388289 fix challenger info for proxy auth requests, Eric, can you take a look and see if you feel there is any other issue?
Attachment #8898589 -
Flags: feedback?(eric)
(In reply to Shane Caraveo (:mixedpuppy) from comment #3) > I don't know why it was documented like that, this is a bug. The warning in the documentation was added by me, after an hour of frustration on figuring out why the code that works on chrome doesn't work in firefox, and debugging it step by step until finding the culprit. Now I realize this was a bad idea and that at least I've should've mentioned it is actually a bug (not just a warning).
|
|
||
Comment 6•7 years ago
|
||
> Eric, can you take a look and see if you feel there is any other issue?
Looks good. However, for completeness, I would suggest providing the rest of the info in nsIProxyInfo. Otherwise, we'll be back here again someday:
* type (http, https, socks, etc)
* username
* password
* failoverTimeout
proxyDNS (true/false) in the flags variable|
|
Assignee | |
Comment 7•7 years ago
|
||
Is it ok to only have that in onAuthRequired?
Flags: needinfo?(eric)
|
|
||
Comment 8•7 years ago
|
||
> Is it ok to only have that in onAuthRequired?
I don't see why not. What is your concern? Certainly |type| should be there.Flags: needinfo?(eric)
|
|
Assignee | |
Comment 9•7 years ago
|
||
(In reply to Eric Jung [:ericjung] from comment #8) > > Is it ok to only have that in onAuthRequired? > > I don't see why not. What is your concern? Certainly |type| should be there. No concern. It's easy to quickly add it for onAuthRequired, more effort (not sure how much) to add it everywhere. If onAuth is sufficient I'll do it in this patch.
|
|
||
Comment 10•7 years ago
|
||
> If onAuth is sufficient I'll do it in this patch.
It is for this bug. I recall a privacy-related addon that wanted to know if a proxy was used to load a resource (or will be used--can't remember which). That would imply putting this info in webRequest.onBeforeRequest() and/or webRequest.onCompleted(). But that should be a different bug not relevant here.|
|
||
Comment 11•7 years ago
|
||
> I recall a privacy-related addon that wanted to know if a proxy was used to load a resource bug 1373646
|
||
Comment 12•7 years ago
|
||
| mozreview-review | ||
Comment on attachment 8898589 [details] Bug 1388289 fix challenger info for proxy auth requests, https://reviewboard.mozilla.org/r/169968/#review178204
Attachment #8898589 -
Flags: review?(kmaglione+bmo) → review+
|
||
Comment 13•7 years ago
|
||
Pushed by mixedpuppy@gmail.com: https://hg.mozilla.org/integration/autoland/rev/5d04b895717f fix challenger info for proxy auth requests, r=kmag
|
||
Comment 14•7 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/5d04b895717f
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox57:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla57
|
|
Assignee | |
Updated•7 years ago
|
Attachment #8898589 -
Flags: feedback?(eric)
|
||
Comment 15•7 years ago
|
||
I've added a note describing this old bug in Firefox: https://developer.mozilla.org/en-US/Add-ons/WebExtensions/API/webRequest/onAuthRequired#Browser_compatibility. Let me know if you need anything else.
Flags: needinfo?(mixedpuppy)
|
|
Assignee | |
Comment 16•7 years ago
|
||
2. Before version 57, on a proxied connection, the challenger.host property contains the hostname for the requested URL rather than the hostname for the proxy. I think that is sightly incorrect. change: on a proxied connection to: when authenticating to a proxy a proxy server ie. challenger should always be that of the server requesting authentication, but didn't work correctly for proxy authentication.
Flags: needinfo?(mixedpuppy)
|
|
Assignee | |
Updated•7 years ago
|
Flags: needinfo?(wbamberg)
|
|
||
Comment 17•7 years ago
|
||
Thanks Shane, I've updated the note.
Flags: needinfo?(wbamberg)
Keywords: dev-doc-needed → dev-doc-complete
|
||
Comment 18•7 years ago
|
||
Is manual testing required on this bug? If yes, please provide some STR and the proper extension(if required) or set the “qe verify-“ flag. Thanks!
Flags: needinfo?(mixedpuppy)
|
|
Assignee | |
Updated•7 years ago
|
Flags: needinfo?(mixedpuppy) → qe-verify-
|
||
Updated•6 years ago
|
Product: Toolkit → WebExtensions
You need to log in
before you can comment on or make changes to this bug.
Description
•