new Worker() fails with network.http.referer.XOriginPolicy=1 on localhost-like domains and IPs

VERIFIED FIXED in Firefox 65

Status

()

defect
P2
normal
VERIFIED FIXED
Last year
7 months ago

People

(Reporter: bugzilla, Assigned: dragana)

Tracking

60 Branch
mozilla65
Points:
---

Firefox Tracking Flags

(firefox61 wontfix, firefox62 wontfix, firefox63 wontfix, firefox64 wontfix, firefox65 verified)

Details

(Whiteboard: [necko-triaged])

Attachments

(1 attachment)

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Build ID: 20180621121604

Steps to reproduce:

about:config network.http.referer.XOriginPolicy;1
go to local website at http://domain/
console > new SharedWorker('a.js')
[Exception... "The requested number of domain levels exceeds those present in the host string"  nsresult: "0x804b0050 (NS_ERROR_INSUFFICIENT_DOMAIN_LEVELS)"  location: "JS frame :: debugger eval code :: <TOP_LEVEL> :: line 1"  data: no]
go to local website at http://192.168.1.1
console > new SharedWorker('a.js')
[Exception... "The host string is an IP address" nsresult: "0x804b0051 (NS_ERROR_HOST_IS_IP_ADDRESS)" location: "JS frame :: debugger eval code :: <TOP_LEVEL> :: line 1" data: no]

new Worker() gives same error codes (0x804b0050, 0x804b0051) but with fewer explanation: NetworkError: Failed to load worker script at (nsresult = 0x804b0050)

tested on 62.0b9 and 60.1.0esr


Actual results:

no Workers was created


Expected results:

Workers were created
Build ID:  20180813100104
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0

The exception is only displayed when accessing "http://192.168.1.1" and creating a new SharedWorker, the exception isn't displayed when accessing "http://domain/". 
I trying to reproduce this issue on the Firefox Nightly 63.0a1, Firefox 62.0b16 and on Firefox 61.0.2 on Windows 10 x64, Ubuntu 17.04 x64 and on Mac OS X 10.12.
Status: UNCONFIRMED → NEW
Component: Untriaged → Networking
Ever confirmed: true
Product: Firefox → Core
I'm not sure how the referer pref affects workers.
Olli, can you take a look? Or point me to the right direction? :)
Flags: needinfo?(bugs)
I'm not familiar with that pref at all.

asuth might know better about worker side.
Flags: needinfo?(bugs) → needinfo?(bugmail)
Assignee: nobody → dd.mozilla
Status: NEW → ASSIGNED
Priority: -- → P2
Whiteboard: [necko-triaged]
Keywords: checkin-needed
Pushed by apavel@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/a9127ac945bd
When getting eTLD+1 fails, check if uri is an ip literal or localhost. r=asuth
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/a9127ac945bd
Status: ASSIGNED → RESOLVED
Closed: 9 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla65
Flags: qe-verify+

I have reproduced this bug using an affected Nightly build from 2018-08-08, and by following the STR from comment 0.

I can confirm that workers are properly created and no exception error is thrown in the console when accessing http://192.168.1.1, or a local .html page via python -m SimpleHTTPServer. Tested on 65.0 RC (20190121133710) under Windows 10 x64, macOS 10.13 and Ubuntu 16.04 x86.

Status: RESOLVED → VERIFIED
Flags: qe-verify+
You need to log in before you can comment on or make changes to this bug.