Closed
Bug 1477696
Opened 7 years ago
Closed 5 years ago
webExtension: webRequest.onHeadersReceived: accidentally overwriting header from other extensions
Categories
(WebExtensions :: Request Handling, defect, P2)
Tracking
(Not tracked)
RESOLVED
WORKSFORME
People
(Reporter: bugzilla, Unassigned)
References
Details
Attachments
(3 files)
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0
Build ID: 20180705213349
Steps to reproduce:
When two webExtensions modify the headers for a request it is possible that an extension overwrites changes that another extension made by accident.
This is a major problem when adding Content-Security-Policy headers.
Real work problem: https://github.com/kkapsner/CanvasBlocker/issues/214
Reproduction scenario:
1. install the three provided extension temporarily
2. open any web page
-> in the browser console you see the headers provided by the two extensions csp-ext1 and csp-ext2 -> the second extension does not see the modifications made by the first one
-> you also see the actual headers -> the CSP and "X-Powered-By" header are only taken from the second extension despite the effort that is made to just append the values.
Actual results:
The extension that is called the second time can accidentally overwrite the modifications of the first extension as it does not see the modifications done by the first one.
Expected results:
The second extension should see the modifications from the first extension to respect the changes.
|
||
Comment 3•7 years ago
|
||
See Bug 1417249
|
||
Updated•7 years ago
|
Flags: needinfo?(mixedpuppy)
Priority: -- → P2
|
||
Comment 5•7 years ago
|
||
tl;dr I need to think about this more, notes below.
CSP specifically allows for multiple headers[1]. Documentation states extensions can see one-anothers modifications[2] which is no longer true (it was at one point). It is easy to reproduce the problem with a single extension (I've modified the contributed extensions into one, will attach). By our current design, the WebRequest api makes all the api calls into extensions prior to applying any changes, thus one handler will not see changes made by another handler. We also cache the headers and make a copy of that cache for each call to an extension listener. This is a fairly large change in behavior from Chrome (assuming Chrome works as documented), but changing it would probably cause performance issues.
I think the primary problem is that headers that can have more than one, such as CSP, do not work that way. Secondary is that an extension cannot examine CSP set by another extension in order to potentially adjust CSP. A potentially larger issue is that we may be stepping on headers in some unintentional way, which I need to look at more.
[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
[2] https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/webRequest/onHeadersReceived
Flags: needinfo?(mixedpuppy)
Related is also https://bugzilla.mozilla.org/show_bug.cgi?id=1421725
See also:
https://bugzilla.mozilla.org/show_bug.cgi?id=1462989
Headers will not be merged if not present in original response.
The main issue with the CSP headers is solved with https://bugzilla.mozilla.org/show_bug.cgi?id=1462989. So for me this bug can be closed.
Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•