Closed Bug 1467871 Opened 7 years ago Closed 7 years ago

Cannot test hybrid content telemetry on local dev server running on http://localhost

Categories

(Toolkit :: Telemetry, enhancement, P1)

Product:
Toolkit
Component:
Telemetry
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla63
Tracking Flags:
Tracking Status
firefox63 --- fixed

People

(Reporter: muffinresearch, Assigned: Dexter)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

Bug 1467871 - Update HCT docs to mention that HTTPS is required for testing. r?janerik,chutten
46 bytes, text/x-phabricator-request
janerik
: review+
chutten
: review+
Details | Review
I'm trying to test my patch to add hybrid content telemetry on the disco pane however I'm running on localhost and despite running: var hostURI = Services.io.newURI("http://localhost:3000"); Services.perms.add(hostURI, "hc_telemetry", Services.perms.ALLOW_ACTION); I see this in the browser console: 1528483536836 Toolkit.Telemetry WARN HybridContentTelemetryListener::handleEvent - accessing telemetry from an untrusted origin. canUpload() is also returning false. Looks like the browser restricts the protocols to https (and about) judging by https://dxr.mozilla.org/mozilla-central/source/toolkit/components/telemetry/hybrid-content/content-HybridContentTelemetry.js#62 I can probably work around this either with a proxy or by patching a local firefox but if nothing else it would be good to update the docs to clarify this is the case.
Blocks: 1416718
Priority: -- → P2
Having patched a firefox build with this: +++ b/toolkit/components/telemetry/hybrid-content/content-HybridContentTelemetry.js @@ -59,7 +59,7 @@ var HybridContentTelemetryListener = { return true; } - const allowedSchemes = ["https", "about"]; + const allowedSchemes = ["http", "https", "about"]; if (!allowedSchemes.includes(principal.URI.scheme)) { return false; } and runnning: var hostURI = Services.io.newURI("http://localhost:3000"); Services.perms.add(hostURI, "hc_telemetry", Services.perms.ALLOW_ACTION); To test localhost I'm now seeing the following message when calling "canUpload": "Security wrapper denied access to property "canUpload" on privileged Javascript object. Support for exposing privileged objects to untrusted content via __exposedProps__ has been removed - use WebIDL bindings or Components.utils.cloneInto instead. Note that only the first denied property access from a given global object will be reported." The console is pointing to this line: https://dxr.mozilla.org/mozilla-central/source/toolkit/components/telemetry/hybrid-content/HybridContentTelemetry-lib.js#53 I don't appear to see this in the unpatched Firefox. It's unclear to me if this is an issue with the lib or just that adding 'http' to the allowed schemes list wasn't enough?
Flags: needinfo?(alessio.placitelli)
(In reply to Stuart Colville [:scolville] [:muffinresearch] from comment #1) > To test localhost I'm now seeing the following message when calling > "canUpload": > > "Security wrapper denied access to property "canUpload" on privileged > Javascript object. Support for exposing privileged objects to untrusted > content via __exposedProps__ has been removed - use WebIDL bindings or > Components.utils.cloneInto instead. Note that only the first denied property > access from a given global object will be reported." > > The console is pointing to this line: > https://dxr.mozilla.org/mozilla-central/source/toolkit/components/telemetry/ > hybrid-content/HybridContentTelemetry-lib.js#53 Looks like we're not allowed to expose these properties on HTTP. > I don't appear to see this in the unpatched Firefox. > > It's unclear to me if this is an issue with the lib or just that adding > 'http' to the allowed schemes list wasn't enough? Hey Johann! We're looking for a way to simplify the testing of the hybrid content telemetry. However, just adding "http" to the list of allowed schemes produces the error from comment 1. As Stuart said, the error is triggered by [1]. We're basically trying to expose the Telemetry status to content. Can you suggest anything we could do to simplify manual testing (mochitest run just fine) other than using a local HTTPS server? [1] - https://dxr.mozilla.org/mozilla-central/rev/681eb7dfa324dd50403c382888929ea8b8b11b00/toolkit/components/telemetry/hybrid-content/HybridContentTelemetry-lib.js#53 [2] - https://searchfox.org/mozilla-central/search?q=HybridContentTelemetry%3APolicyChanged&case=false&regexp=false&path=
Flags: needinfo?(alessio.placitelli) → needinfo?(jhofmann)
(In reply to Stuart Colville [:scolville] [:muffinresearch] from comment #1) > I don't appear to see this in the unpatched Firefox. > > It's unclear to me if this is an issue with the lib or just that adding > 'http' to the allowed schemes list wasn't enough? Stuart, did you try a local HTTPS server? Are you able to test with that?
Flags: needinfo?(scolville)
(In reply to Alessio Placitelli [:Dexter] from comment #3) > (In reply to Stuart Colville [:scolville] [:muffinresearch] from comment #1) > > I don't appear to see this in the unpatched Firefox. > > > > It's unclear to me if this is an issue with the lib or just that adding > > 'http' to the allowed schemes list wasn't enough? > > Stuart, did you try a local HTTPS server? Are you able to test with that? I have just managed to do that and I get the same message as before: "Security wrapper denied access to property "canUpload" on privileged Javascript object. Support for exposing privileged objects to untrusted content via __exposedProps__ has been removed - use WebIDL bindings or Components.utils.cloneInto instead. Note that only the first denied property access from a given global object will be reported."
Flags: needinfo?(scolville)
Comment 4 was using an unpatched nightly with: var hostURI = Services.io.newURI("https://olympia.dev:3000"); Services.perms.add(hostURI, "hc_telemetry", Services.perms.ALLOW_ACTION);
Assignee: nobody → alessio.placitelli
Priority: P2 → P1
(In reply to Stuart Colville [:scolville] [:muffinresearch] from comment #5) > Comment 4 was using an unpatched nightly with: > > var hostURI = Services.io.newURI("https://olympia.dev:3000"); > Services.perms.add(hostURI, "hc_telemetry", Services.perms.ALLOW_ACTION); If you go on that website, does Firefox complain about self-signed certificates? Did you add a root certificate authority for your self-signed cert?
Flags: needinfo?(scolville)
(In reply to Alessio Placitelli [:Dexter] from comment #6) > (In reply to Stuart Colville [:scolville] [:muffinresearch] from comment #5) > > Comment 4 was using an unpatched nightly with: > > > > var hostURI = Services.io.newURI("https://olympia.dev:3000"); > > Services.perms.add(hostURI, "hc_telemetry", Services.perms.ALLOW_ACTION); > > If you go on that website, does Firefox complain about self-signed > certificates? Did you add a root certificate authority for your self-signed > cert? I don't have any issue accessing the content. I did this with Charles Web Proxy and the root CA for that is installed.
Flags: needinfo?(scolville)
Depends on: 1472228
The mentioned security wrapper error is indeed due to another bug, see bug 1472228 for a fix. We still need to document the requirement for a local https server for development.
A little late to the party, but that error should indeed be independent of insecure context. As an alternative to whitelisting HTTP schemes or having to do your own local HTTPS server, how about just whitelisting "localhost" (with a pref?)? Or alternatively just add a pref for turning off the trusted origin check (IIUC bypassing this check doesn't really compromise user safety, just allows sending trash telemetry).
Flags: needinfo?(jhofmann)
Stuart, since bug 1472228 landed, would you kindly verify that you're now able to test this locally with the latest Nightly?
Flags: needinfo?(scolville)
(In reply to Alessio Placitelli [:Dexter] from comment #10) > Stuart, since bug 1472228 landed, would you kindly verify that you're now > able to test this locally with the latest Nightly? I can confirm that the error has gone away using the same config as comment 5. However, now I have a new issue - but I'll file a separate issue for that.
Flags: needinfo?(scolville)
Comment on attachment 8990251 [details] Bug 1467871 - Update HCT docs to mention that HTTPS is required for testing. r?janerik,chutten Jan-Erik Rediger [:janerik] has approved the revision. https://phabricator.services.mozilla.com/D1998
Attachment #8990251 - Flags: review+
Comment on attachment 8990251 [details] Bug 1467871 - Update HCT docs to mention that HTTPS is required for testing. r?janerik,chutten Chris H-C :chutten has approved the revision. https://phabricator.services.mozilla.com/D1998
Attachment #8990251 - Flags: review+
Pushed by chutten@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/9ce985c92f22 Update HCT docs to mention that HTTPS is required for testing. r=janerik,chutten
https://hg.mozilla.org/mozilla-central/rev/9ce985c92f22
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox63: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla63
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: