webExtension: webRequest.onHeadersReceived: accidentally overwriting header from other extensions

UNCONFIRMED
Unassigned

Status

defect
P2
normal
UNCONFIRMED
Last year
2 months ago

People

(Reporter: bugzilla, Unassigned)

Tracking

61 Branch

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(3 attachments)

772 bytes, application/zip
Details
772 bytes, application/zip
Details
514 bytes, application/zip
Details
Posted file csp-ext1-1.0.zip
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0
Build ID: 20180705213349

Steps to reproduce:

When two webExtensions modify the headers for a request it is possible that an extension overwrites changes that another extension made by accident.
This is a major problem when adding Content-Security-Policy headers.

Real work problem: https://github.com/kkapsner/CanvasBlocker/issues/214

Reproduction scenario:
1. install the three provided extension temporarily
2. open any web page
-> in the browser console you see the headers provided by the two extensions csp-ext1 and csp-ext2 -> the second extension does not see the modifications made by the first one
-> you also see the actual headers -> the CSP and "X-Powered-By" header are only taken from the second extension despite the effort that is made to just append the values.


Actual results:

The extension that is called the second time can accidentally overwrite the modifications of the first extension as it does not see the modifications done by the first one.


Expected results:

The second extension should see the modifications from the first extension to respect the changes.
Posted file csp-ext2-1.0.zip
Flags: needinfo?(mixedpuppy)
Priority: -- → P2
Duplicate of this bug: 1417249
tl;dr I need to think about this more, notes below.

CSP specifically allows for multiple headers[1].  Documentation states extensions can see one-anothers modifications[2] which is no longer true (it was at one point).  It is easy to reproduce the problem with a single extension (I've modified the contributed extensions into one, will attach).  By our current design, the WebRequest api makes all the api calls into extensions prior to applying any changes, thus one handler will not see changes made by another handler.  We also cache the headers and make a copy of that cache for each call to an extension listener.  This is a fairly large change in behavior from Chrome (assuming Chrome works as documented), but changing it would probably cause performance issues.

I think the primary problem is that headers that can have more than one, such as CSP, do not work that way.  Secondary is that an extension cannot examine CSP set by another extension in order to potentially adjust CSP.  A potentially larger issue is that we may be stepping on headers in some unintentional way, which I need to look at more.

[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
[2] https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/webRequest/onHeadersReceived
Flags: needinfo?(mixedpuppy)
See also:
https://bugzilla.mozilla.org/show_bug.cgi?id=1462989

Headers will not be merged if not present in original response.
You need to log in before you can comment on or make changes to this bug.