1439390 - "Edit and Resend" DevTools function broken by CSP enforcement

Status: RESOLVED FIXED

(DevTools :: Netmonitor, defect, P3)

Description

[alvise.rabitti]

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0
Build ID: 20180126021812

Steps to reproduce:

. visit a website enforcing a CSP policy
. open DevTools > Network panel
. use the "Edit and Resend" functionality to reload a subresource


Actual results:

Irrespective of the type of the subresource, the resent request will be subject to the default-src directive of the CSP policy. This might unexpectedly prevent the resending.

If the resending is prevented, the DevTools break and, if they are closed, it's not possible to access them anymore from the same browser tab. All the "Edit and Resend" which used to work will not work anymore. Visiting another website in the same tab does not fix the problem.

please visit the test page available at:
http://www.dsi.unive.it/~rabitti/firefox/
for full details


Expected results:

The resent request should match the most specific CSP directive available for its content type, e.g., script-src (or no CSP enforcement should happen when requests are resent using the DevTools).

Comment 1

[J. Ryan Stinnett [:jryans] (Use needinfo, replies may be slow)]

Looks like the resend function currently makes up the loading info:

https://searchfox.org/mozilla-central/rev/3abf6fa7e2a6d9a7bfb88796141b0f012e68c2db/devtools/server/actors/webconsole.js#1720-1725

It always sets the document as the loading node and type as `OTHER`.  We could either track the correct data and use it when resending so we get the same behavior as the original request, or we could run it as system principal and avoid CSP for resent requests.

Comment 2

[Jan Honza Odvarko [:Honza] (always need-info? me)]

Thanks for the report!

I am able to reproduce the issue on my machine (win10).

Here are detailed STR:

0) Open DevTools toolbox, select the Network panel
1) Load http://www.dsi.unive.it/~rabitti/firefox/
2) Right click on jquery.min.js and pick "Edit and Resend"
3) The "Edit and Resend" form should open in a sidebar
4) Click the Send button, the request is not resent -> BUG

The side bar stays open and there is an exception in the Browser console:

sendHTTPRequest: [Exception... "Failed to open input source 'https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js'"  nsresult: "0x805e0006 (<unknown>)"  location: "JS frame :: resource://devtools/shared/base-loader.js -> resource://devtools/server/actors/webconsole.js :: sendHTTPRequest :: line 1793"  data: yes]
Stack: sendHTTPRequest@resource://devtools/shared/base-loader.js -> resource://devtools/server/actors/webconsole.js:1793:5
onPacket@resource://devtools/shared/base-loader.js -> resource://devtools/server/main.js:1709:15
receiveMessage@resource://devtools/shared/base-loader.js -> resource://devtools/shared/transport/transport.js:735:7
MessageListener.receiveMessage*_addListener@resource://devtools/shared/base-loader.js -> resource://devtools/shared/transport/transport.js:709:7
ready@resource://devtools/shared/base-loader.js -> resource://devtools/shared/transport/transport.js:726:7
_onConnection@resource://devtools/shared/base-loader.

Honza

Comment 3

[Christoph Kerschbaumer [:ckerschb]]

Attachment: Bug 1439390: Add test to ensure 'edit and resend' requests are not blocked by the CSP of the page. r=honza

Comment 4

[Jan Honza Odvarko [:Honza] (always need-info? me)]

Attachment: document-access.diff

An example of how to get data from the content page (within a mochitest)

Honza

Comment 5

[Narcis Beleuzu [:NarcisB]]

Pushed by nbeleuzu@mozilla.com
https://hg.mozilla.org/integration/autoland/rev/fce687c20a84c21be7c1e5214262de4822911c7b
Add test to ensure 'edit and resend' requests are not blocked by the CSP of the page. r=Honza

Comment 6

[Natalia Csoregi [:nataliaCs]]

https://hg.mozilla.org/mozilla-central/rev/fce687c20a84