"Edit and Resend" DevTools function broken by CSP enforcement

NEW
Unassigned

Status

defect
P3
normal
a year ago
11 months ago

People

(Reporter: alvise.rabitti, Unassigned)

Tracking

(Blocks 1 bug)

60 Branch
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

Reporter

Description

a year ago
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0
Build ID: 20180126021812

Steps to reproduce:

. visit a website enforcing a CSP policy
. open DevTools > Network panel
. use the "Edit and Resend" functionality to reload a subresource


Actual results:

Irrespective of the type of the subresource, the resent request will be subject to the default-src directive of the CSP policy. This might unexpectedly prevent the resending.

If the resending is prevented, the DevTools break and, if they are closed, it's not possible to access them anymore from the same browser tab. All the "Edit and Resend" which used to work will not work anymore. Visiting another website in the same tab does not fix the problem.

please visit the test page available at:
http://www.dsi.unive.it/~rabitti/firefox/
for full details


Expected results:

The resent request should match the most specific CSP directive available for its content type, e.g., script-src (or no CSP enforcement should happen when requests are resent using the DevTools).

Updated

a year ago
Component: Untriaged → Developer Tools
Looks like the resend function currently makes up the loading info:

https://searchfox.org/mozilla-central/rev/3abf6fa7e2a6d9a7bfb88796141b0f012e68c2db/devtools/server/actors/webconsole.js#1720-1725

It always sets the document as the loading node and type as `OTHER`.  We could either track the correct data and use it when resending so we get the same behavior as the original request, or we could run it as system principal and avoid CSP for resent requests.
Component: Developer Tools → Developer Tools: Netmonitor

Updated

a year ago
Product: Firefox → DevTools
Thanks for the report!

I am able to reproduce the issue on my machine (win10).

Here are detailed STR:

0) Open DevTools toolbox, select the Network panel
1) Load http://www.dsi.unive.it/~rabitti/firefox/
2) Right click on jquery.min.js and pick "Edit and Resend"
3) The "Edit and Resend" form should open in a sidebar
4) Click the Send button, the request is not resent -> BUG

The side bar stays open and there is an exception in the Browser console:

sendHTTPRequest: [Exception... "Failed to open input source 'https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js'"  nsresult: "0x805e0006 (<unknown>)"  location: "JS frame :: resource://devtools/shared/base-loader.js -> resource://devtools/server/actors/webconsole.js :: sendHTTPRequest :: line 1793"  data: yes]
Stack: sendHTTPRequest@resource://devtools/shared/base-loader.js -> resource://devtools/server/actors/webconsole.js:1793:5
onPacket@resource://devtools/shared/base-loader.js -> resource://devtools/server/main.js:1709:15
receiveMessage@resource://devtools/shared/base-loader.js -> resource://devtools/shared/transport/transport.js:735:7
MessageListener.receiveMessage*_addListener@resource://devtools/shared/base-loader.js -> resource://devtools/shared/transport/transport.js:709:7
ready@resource://devtools/shared/base-loader.js -> resource://devtools/shared/transport/transport.js:726:7
_onConnection@resource://devtools/shared/base-loader.

Honza
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P3
You need to log in before you can comment on or make changes to this bug.