Open
Bug 1514396
Opened 5 years ago
Updated 3 years ago
[Mixed Content] Firefox only web platform test failures
Categories
(Core :: DOM: Security, defect, P3)
Core
DOM: Security
Tracking
()
NEW
People
(Reporter: automatedtester, Unassigned)
References
(Depends on 1 open bug)
Details
(Keywords: parity-chrome, parity-safari, Whiteboard: [domsecurity-backlog1])
Attachments
(1 file)
The following tests are only failing in Firefox as documented in https://foolip.github.io/ad-hoc-wpt-results-analysis/firefox-lone-failures.html /mixed-content/classic-data-worker-fetch/http-csp/cross-origin-http/top-level/keep-scheme-redirect/blockable/opt-in-blocks.https.html /mixed-content/classic-data-worker-fetch/http-csp/cross-origin-http/top-level/no-redirect/blockable/opt-in-blocks.https.html /mixed-content/classic-data-worker-fetch/http-csp/cross-origin-http/top-level/swap-scheme-redirect/blockable/opt-in-blocks.https.html /mixed-content/classic-data-worker-fetch/http-csp/same-host-http/top-level/keep-scheme-redirect/blockable/opt-in-blocks.https.html /mixed-content/classic-data-worker-fetch/http-csp/same-host-http/top-level/no-redirect/blockable/opt-in-blocks.https.html /mixed-content/classic-data-worker-fetch/http-csp/same-host-http/top-level/swap-scheme-redirect/blockable/opt-in-blocks.https.html /mixed-content/classic-data-worker-fetch/meta-csp/cross-origin-http/top-level/no-redirect/blockable/opt-in-blocks.https.html /mixed-content/classic-data-worker-fetch/meta-csp/same-host-http/top-level/no-redirect/blockable/opt-in-blocks.https.html /mixed-content/classic-data-worker-fetch/no-opt-in/cross-origin-http/top-level/keep-scheme-redirect/blockable/no-opt-in-blocks.https.html /mixed-content/classic-data-worker-fetch/no-opt-in/cross-origin-http/top-level/no-redirect/blockable/no-opt-in-blocks.https.html /mixed-content/classic-data-worker-fetch/no-opt-in/cross-origin-http/top-level/swap-scheme-redirect/blockable/no-opt-in-blocks.https.html /mixed-content/classic-data-worker-fetch/no-opt-in/same-host-http/top-level/keep-scheme-redirect/blockable/no-opt-in-blocks.https.html /mixed-content/classic-data-worker-fetch/no-opt-in/same-host-http/top-level/no-redirect/blockable/no-opt-in-blocks.https.html /mixed-content/classic-data-worker-fetch/no-opt-in/same-host-http/top-level/swap-scheme-redirect/blockable/no-opt-in-blocks.https.html
|
||
Comment 2•5 years ago
|
||
|
|
||
Updated•5 years ago
|
Whiteboard: [domsecurity-active]
|
|
||
Updated•5 years ago
|
Depends on: MixedContentBlocker
Pushed by jkingston@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/9fedba33cfa3 Only pass the mixedContentBlocker codebase principals for aRequestingLocation. r=ckerschb
|
||
Comment 4•5 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox66:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla66
|
||
Comment 5•5 years ago
|
||
Backed out changeset 9fedba33cfa3 (Bug 1514396) for causing regression Bug 1521239, requested by jkt. CLOSED TREE
Status: RESOLVED → REOPENED
status-firefox66:
fixed → ---
Resolution: FIXED → ---
Target Milestone: mozilla66 → ---
|
|
||
Updated•5 years ago
|
Flags: needinfo?(jkt)
|
Reporter | |
Updated•5 years ago
|
Keywords: parity-chrome,
parity-safari
|
||
Updated•5 years ago
|
Priority: -- → P3
|
|
||
Comment 6•4 years ago
|
||
Passing this back to you :ckerschb sorry.
Assignee: jonathan → nobody
Flags: needinfo?(jonathan) → needinfo?(ckerschb)
Whiteboard: [domsecurity-active]
|
|
||
Comment 7•4 years ago
|
||
I'll take a look - thanks.
Assignee: nobody → ckerschb
Severity: normal → S3
Flags: needinfo?(ckerschb)
Priority: P3 → P2
Whiteboard: [domsecurity-active]
|
||
Comment 8•4 years ago
•
|
||
In the last week, I looked more closely into the bug (with some help by Frederik)
What We Already Know:
- The mixed-content/gen/worker-classic-data.http-rp/opt-in/fetch.https.html Web Platform Tests work like this:
- The test suite is loaded as an HTML document (https origin)
- All these test cases start from a worker web worker (security context: worker) with a data URL.
- Test cases make a variety of outbound requests to various combinations of same or swapped schemes (including redirect chains that end up keeping/swapping the chain or intermingling non-HTTPS schemes).
- Every test that involves an non-HTTPS scheme should be blocked.
- Looking at all test cases and results systematically, we conclude this is not happening.
- Because the worker is loaded from a data URI, all requests have a NullPrincipal as loadingPrincipal. The mixed content blocker exits early, as the principal’s scheme is not HTTPS.
- The NullPrincipal and the LoadInfo object do not easily allow us to reach through to the originating document, where we could check for HTTPS instead.
- Main reason for bug: Currently the request is allowed as the request comes from a data-URI and is targeting an http endpoint -> “Request will be allowed because the requesting location is not using HTTPS”
- Using the MCBLog lazylogger implemented (but not checked-in) from bug 1514396, the checks look like this:
shouldLoad:
- contentLocation: http://web-platform.test:8000/common/security-features/subresource/xhr.py?action=purge&key=337898c6-17f6-4347-8773-0869ab491537&path=%2Fmixed-content
- internalContentPolicyType: TYPE_FETCH
- loadingPrincipal: moz-nullprincipal:{e33afc21-948e-47c2-a4db-6c9e529b2008}
- triggeringPrincipal: moz-nullprincipal:{e33afc21-948e-47c2-a4db-6c9e529b2008}
- URISafeToBeLoadedInSecureContext:
- schemeLocal: 0
- schemeNoReturnData: 0
- schemeInherits: 0
- schemeSecure: 0
-> decision: Request will be allowed because the requesting location is not using HTTPS.
|
|
||
Updated•3 years ago
|
Assignee: ckerschb → nobody
Status: REOPENED → NEW
Priority: P2 → P3
Whiteboard: [domsecurity-active] → [domsecurity-backlog1]
You need to log in
before you can comment on or make changes to this bug.
Description
•