Enable network.http.sendOriginHeader by default
Categories
(Core :: DOM: Security, enhancement, P2)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox70 | --- | fixed |
People
(Reporter: francois, Assigned: CuveeHsu)
References
(Depends on 1 open bug, Blocks 4 open bugs)
Details
(Whiteboard: [domsecurity-backlog3])
Attachments
(4 files)
There is some work to be done before we can enable network.http.sendOriginHeader by default. See https://public.etherpad-mozilla.org/p/bug446344 for the current list.
|
||
Updated•6 years ago
|
|
Reporter | |
Updated•6 years ago
|
|
||
Comment 1•6 years ago
|
||
Snapshot of the etherpad on 2018-05-03 Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=446344 WIP patch: https://hg.mozilla.org/users/fmarier_mozilla.com/mozilla-unified/rev/origin-header-446344 Implementation Should the Origin header be set in AsyncOpen2(), like the Referer header, instead of BeginConnect()? https://searchfox.org/mozilla-central/source/netwerk/protocol/http/HttpChannelParent.cpp#398 Should redirected requests contain the first URI or the last one as the "referring" origin? this only affects 307/308 since 302s get turned into GET when redirected https://github.com/whatwg/fetch/issues/593 Honour network.http.referer.hideOnionSource (or file follow-up bug). Add the Origin to XHR and fetch() requests (or file follow-up bug). Add the Origin to websocket requests (or file follow-up bug). Testing The Origin header is not subject to the Referrer trimming/spoofing/suppressing pref The Origin header is not subject to the Referrer Policy. The Origin header is controlled by its own pref. XHR should not be able to overwrite the Origin header. https://searchfox.org/mozilla-central/rev/381a7b8f8a78b481336cfa384cb0a5536e217e4a/dom/xhr/XMLHttpRequestMainThread.cpp#3065 fetch() should not be able to overwrite the Origin header. https://searchfox.org/mozilla-central/rev/381a7b8f8a78b481336cfa384cb0a5536e217e4a/dom/fetch/InternalHeaders.cpp#260 XHR and fetch() should include the header on POST requests. HTTPS to HTTP loads should get an Origin header with a value of "null". That's the Chrome behavior, but the OWASP wiki says it's not supposed to be like that for some reason. https://www.owasp.org/index.php/CSRF_Prevention_Cheat_Sheet#Checking_the_Origin_Header HTTPS to http://127.0.0.1 shouldgam et the full origin since 127.0.0.1 is considered a potentially secure Origin. IDN domains are shown in the header as punnycode. The Origin header should not interfere with CORS. The Origin header should be sent for cached requests too. Requests from a file:/// URI (i.e. not whitelisted) should get an Origin header with a value of "null". Requests from a data: URI (i.e. not whitelisted) should get an Origin header with a value of "null". Tests wyciwyg:// channels (check with Christoph for details) Look into the web platform tests: fetch/api/basic/request-headers.js fetch/api/cors/cors-redirect.js Specification https://tools.ietf.org/html/rfc6454 https://fetch.spec.whatwg.org/#origin-header https://fetch.spec.whatwg.org/#http-network-or-cache-fetch (Step 11) Clarify the relationship between the Referrer Policy and the Origin header. Clarify that HTTPS to HTTP loads won't include the Origin header. Clarify that file URIs should not be included in the Origin header. When should "null" be sent instead of an empty string (or no header at all)? Should the serialization of the origin in the header be UTF-8 or ASCII? Documentation https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin The header can take a "null" value on Chrome. It's not only sent in POST requests but in all non-GET and non-HEAD requests.
|
|
||
Updated•6 years ago
|
|
||
Comment 2•6 years ago
|
||
I assume this is enabled by default on Firefox Nightly? I found another failure: https://github.com/w3c/web-platform-tests/pull/11164. However, that also required a specification change: https://github.com/whatwg/fetch/pull/594. Chrome already passes this. > Should the serialization of the origin in the header be UTF-8 or ASCII? It should be ASCII. Fetch used "utf-8 encode" to get bytes out of a string containing only ASCII code points. I had not defined "isomorphic encode" yet, which makes it clearer it's a much more restricted transform than it might seem when it says UTF-8.
|
|
Reporter | |
Comment 3•6 years ago
|
||
(In reply to Anne (:annevk) from comment #2) > I assume this is enabled by default on Firefox Nightly? It's default OFF everywhere. You need to flip the pref manually if you want to test it out.
|
|
||
Comment 4•6 years ago
|
||
I don't get a different result setting it to 1 (you cannot flip this pref seemingly). And FWIW, the reason I assumed it was enabled on Nightly is that my test uses a "no-cors" fetch and Firefox is including the Origin header. That means Firefox already includes it on fetches beyond those required for "cors"...
|
||
Updated•6 years ago
|
|
Assignee | |
Comment 5•6 years ago
|
||
(In reply to Anne (:annevk) from comment #4) > I don't get a different result setting it to 1 (you cannot flip this pref > seemingly). And FWIW, the reason I assumed it was enabled on Nightly is that > my test uses a "no-cors" fetch and Firefox is including the Origin header. > That means Firefox already includes it on fetches beyond those required for > "cors"... Fetch [1] and WebSocket [2] sends Origin Headers before Bug 446344 landed [1] https://searchfox.org/mozilla-central/rev/5612e2c75bfde2f5e9512b5b3ffc952ddb74a6dc/dom/fetch/FetchDriver.cpp#303-312 [2] https://searchfox.org/mozilla-central/rev/d5fc6f3d4746279a7c6fd4f7a98b1bc5d05d6b01/netwerk/protocol/websocket/WebSocketChannel.cpp#2893-2897
|
|
||
Comment 6•6 years ago
|
||
As a potential anti-CSRF tool the proposed Sec-Metadata header might have better properties than trying to use Origin. Contains more contextual information but less specific about the origin so it resolves some of the issues about privacy or having to spoof/redact info. https://mikewest.github.io/sec-metadata/
|
||
Comment 9•5 years ago
|
||
This is a serious web compatibility issue. Should be higher priority.
|
|
Assignee | |
Comment 10•5 years ago
|
||
Plan on next release (68)
|
|
Assignee | |
Comment 12•5 years ago
|
||
Hello :ckerschb,
I see we have a test [1] for not sending Origin header for Beacon
Per [2], I guess it's time to flip the test since Origin header is needed here.
OTOH, Chrome sends the Origin header as well.
What do you think?
[1] https://hg.mozilla.org/mozilla-central/diff/670d4c99c1c7310525a5820e3dfd65569b063e7d/dom/tests/mochitest/beacon/test_beaconOriginHeader.html
[2] https://w3c.github.io/beacon/#sec-processing-model
|
|
Assignee | |
Comment 13•5 years ago
|
||
|
|
Assignee | |
Comment 14•5 years ago
|
||
We'd like to enable the Origin header for all eligible reqeusts, which include POST.
The test should be adjusted.
|
|
Assignee | |
Comment 15•5 years ago
|
||
Now we send the Origin header!
|
|
Assignee | |
Comment 16•5 years ago
|
||
|
|
Assignee | |
Comment 17•5 years ago
|
||
|
|
||
Comment 18•5 years ago
|
||
(In reply to Junior [:junior] from comment #12)
Hello :ckerschb,
I see we have a test [1] for not sendingOriginheader for Beacon
Per [2], I guess it's time to flip the test sinceOriginheader is needed here.
OTOH, Chrome sends theOriginheader as well.What do you think?
Sorry for the lag here - just looking at your phabricator patch
https://phabricator.services.mozilla.com/D33386
|
|
||
Comment 19•5 years ago
|
||
(In reply to Christoph Kerschbaumer [:ckerschb] from comment #18)
Sorry for the lag here - just looking at your phabricator patch
https://phabricator.services.mozilla.com/D33386
FWIW, it seems our implementation of Beacon is outdated in a way that we are still applying CORS even though the spec says not to apply CORS. I filed Bug 1557386 to get the Beacon bits updated. The CORS problem with beacon however is orthogonal to what we are trying to accomplish within this bug, so it's not a blocker but I thought it's wort mentioning it here.
|
|
Assignee | |
Comment 20•5 years ago
|
||
Hello Daniel and Anne,
We suffer from web-compat issues for Origin: headers ([1][2] and many votes in bug 446344)
Here's current status:
(a) we pass current web-platform tests AFAIK, and treeherder is green [3]
(b) we're going to merge a clear spec [4] for "Origin header honors ReferrerPolicy" soon, and the gecko implementation is in nightly now (Bug 1504085)
(c) Bug 1535795 needs some attention. It has effect in all non-cors requests. But I don't think it's a blocker.
(d) New wpt for honoring RP has some failures. We file Bug 1560076 which is about the referrer-policy and Bug 1560079 for a POST fetch from about:blank, which is rare.
Based on these analysis, I'd like to enable network.http.sendOriginHeader to 2 by default.
needinfo? to confirm if I don't miss anything.
If it's good to go, I'll ask :ckerschb to sign off the pref change.
Thanks.
[1] https://webcompat.com/issues/19248
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=1272302
[3] https://treeherder.mozilla.org/#/jobs?repo=try&revision=e02c5cc3fcfe17e8a6adfcc6f4be3908146322ad
[4] https://github.com/whatwg/fetch/pull/908
|
|
||
Comment 21•5 years ago
|
||
That seems good to me, I'm a little worried that our tests did not hit bug 1535795. We should add tests for that, but that should not need to block this I think.
|
|
Assignee | |
Comment 22•5 years ago
|
||
(In reply to Anne (:annevk) from comment #21)
That seems good to me, I'm a little worried that our tests did not hit bug 1535795. We should add tests for that, but that should not need to block this I think.
We're going to have one test for bug 1535795, although which is one of the corner case.
https://github.com/web-platform-tests/wpt/pull/14260/files#diff-4ac023be6fea526c56e3c384fe32fa98R5
|
|
||
Comment 23•5 years ago
|
||
I'm concerned that in bug 1504085 we differ between cors and no-cors requests. Why should cors requests continue to leak the Origin if there's a ReferrerPolicy of noreferrer? Sure, it's hard for the site to decide what to do with a null Origin, but those can come up from redirects so the server has to know how to deal with it anyway. I hope we're adding WPT tests for the spec change for both options (and the various ways of getting a cors request because bug 1535795 shows we have multiple paths).
That issue aside (which is a spec issue we should discuss in WASWG) please do set network.http.sendOriginHeader to 2 by default. Don't need to wait for the referrerpolicy issue resolution: it's an improvement either way.
|
|
||
Comment 24•5 years ago
|
||
We have tests for CORS and Referrer Policy in https://github.com/web-platform-tests/wpt/pull/14260 and we have discussed that issue several times, last time at https://github.com/whatwg/fetch/pull/908. It's an explicit choice from the fetcher to use CORS so it seems okay to "leak" in that case. I'd also expect things to break down if we retroactively started applying this there. I suppose I'm okay with revisiting it some more (and we should take into account WebSocket too then).
|
|
Assignee | |
Comment 25•5 years ago
|
||
All patch are r+.
Soft code freeze for Firefox 69 starts. Let's take the next train.
|
|
||
Comment 26•5 years ago
|
||
(In reply to Junior [:junior] from comment #25)
All patch are r+.
Soft code freeze for Firefox 69 starts. Let's take the next train.
Yes, that's a smart decision.
|
|
Assignee | |
Comment 27•5 years ago
|
||
The patch is one month old, so I rebase them and see if treeherder is currently happy.
https://treeherder.mozilla.org/#/jobs?repo=try&revision=d9e7368aabb66824972fff62bb78d33b3268bd6b
|
||
Comment 28•5 years ago
|
||
Pushed by juhsu@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/743605a9b0ac P1 send Origin headers for all eligible requests r=ckerschb https://hg.mozilla.org/integration/autoland/rev/6127a13715c9 P2 adjust Origin header comparison for POST request r=Honza https://hg.mozilla.org/integration/autoland/rev/f567bf2904c9 P3 Enable testing Origin header in wpt r=Ehsan https://hg.mozilla.org/integration/autoland/rev/c6299be2356c P4 Update sendBeacon origin header test r=ckerschb
|
||
Comment 29•5 years ago
|
||
Backed out 4 changesets (bug 1424076) for ESlint failure
Log:
https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=255530394&repo=autoland&lineNumber=290
Push with failures:
https://treeherder.mozilla.org/#/jobs?repo=autoland&revision=c6299be2356cc2bb10f3e1e7e6f04ed2004585d3
Backout:
https://hg.mozilla.org/integration/autoland/rev/116e06419550a9de5ba66eab5e77157c68d72d0e
|
|
||
Comment 31•5 years ago
|
||
Pushed by juhsu@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/50fbc0cec01a P1 send Origin headers for all eligible requests r=ckerschb https://hg.mozilla.org/integration/autoland/rev/c002ddb976e9 P2 adjust Origin header comparison for POST request r=Honza https://hg.mozilla.org/integration/autoland/rev/2b4487c6403d P3 Enable testing Origin header in wpt r=Ehsan https://hg.mozilla.org/integration/autoland/rev/67239c7df87c P4 Update sendBeacon origin header test r=ckerschb
|
||
Comment 32•5 years ago
|
||
Backed out 4 changesets (bug 1424076) for mochitests failures in test_iframe_sandbox_navigation.html
Push with failure: https://treeherder.mozilla.org/#/jobs?repo=autoland&resultStatus=testfailed%2Cbusted%2Cexception%2Crunnable&revision=67239c7df87c120521c11925f7404ff22e8e89b2
Failure log: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=255557765&repo=autoland&lineNumber=3749
Backout: https://hg.mozilla.org/integration/autoland/rev/91ec3db845b6175e08d91b9318d96504caef6ce6
|
||
Comment 33•5 years ago
|
||
FWIW I think those are my bad (from bug 1218456).
|
|
Assignee | |
Comment 34•5 years ago
|
||
Given comment 33, autoland[1] and try[2] is passed, we might able to land it again.
[1] https://treeherder.mozilla.org/#/jobs?repo=autoland&fromchange=9da065181d29f99ab2ca3a6baea5d1b491e6f931&selectedJob=255563607
[2] https://treeherder.mozilla.org/#/jobs?repo=try&revision=d9e7368aabb66824972fff62bb78d33b3268bd6b&selectedJob=255366275
|
|
Assignee | |
Comment 35•5 years ago
|
||
(In reply to Oana Pop-Rus from comment #32)
Backed out 4 changesets (bug 1424076) for mochitests failures in test_iframe_sandbox_navigation.html
Push with failure: https://treeherder.mozilla.org/#/jobs?repo=autoland&resultStatus=testfailed%2Cbusted%2Cexception%2Crunnable&revision=67239c7df87c120521c11925f7404ff22e8e89b2
I don't see failure in test_iframe_sandbox_navigation.html with the Push with failure
false alarm?
|
|
||
Comment 36•5 years ago
|
||
Yeah, what happened here was that:
- My patches in bug 1218456 caused a failure on a bogus test, and thus was backed out.
- But a later push had landed that relied on that patch to remove a workaround in a test included from test_iframe_navigation, which was not backed out, and thus caused the timeouts.
I've relanded all that stuff, will reland your patches Junior, sorry for the hassle.
|
|
||
Updated•5 years ago
|
|
|
||
Comment 37•5 years ago
|
||
Yes, I'm sorry wrong backout. I will reland in a minute.
|
|
||
Comment 38•5 years ago
|
||
Pushed by emilio@crisal.io: https://hg.mozilla.org/integration/autoland/rev/51140597ddb7 P1 send Origin headers for all eligible requests r=ckerschb https://hg.mozilla.org/integration/autoland/rev/e85a0177b2f7 P2 adjust Origin header comparison for POST request r=Honza https://hg.mozilla.org/integration/autoland/rev/86406127033a P3 Enable testing Origin header in wpt r=Ehsan https://hg.mozilla.org/integration/autoland/rev/49b44a7f1148 P4 Update sendBeacon origin header test r=ckerschb
|
||
Comment 39•5 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/51140597ddb7
https://hg.mozilla.org/mozilla-central/rev/e85a0177b2f7
https://hg.mozilla.org/mozilla-central/rev/86406127033a
https://hg.mozilla.org/mozilla-central/rev/49b44a7f1148
Can someone help to check bug 1566295? This patch seems to break evernote web clipboard...
|
||
Updated•5 years ago
|
Description
•