Open Bug 1520381 Opened 6 years ago Updated 2 years ago

Workers fail to fetch from loopback addresses like http://127.0.0.1

Categories

(Core :: DOM: Security, defect, P3)

Product:
Core
Component:
DOM: Security
Type:
defect

Tracking

()

People

(Reporter: irakli, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: testcase, Whiteboard: [domsecurity-backlog])

Attachments

(1 file)

simple-server.py
375 bytes, text/x-python
Details

There was a related bug reports like Bug 903966 which did fixed that issue for requests from document scope, however issue is still reproducible in worker contexts.

I have put together few examples to illustrate the issue:
https://gozala.io/loopback-worker/

I will move it to security because it looks like a similar issue as 903966

Component: Networking → DOM: Security
Blocks: MixedContentBlocker
No longer depends on: MixedContentBlocker
Keywords: testcase

Is this testcase correct? I'm getting similar "failed to fetch" errors on Chrome.

Flags: needinfo?(rFobic)

Is this testcase correct? I'm getting similar "failed to fetch" errors on Chrome.

Depends on what's running on that address and if Access-Control-Allow-Origin headers are set to respond to https://gozala.io/ if they are set on Chrome it does not fail on my end.

Flags: needinfo?(rFobic)
Priority: -- → P3
Whiteboard: [domsecurity-backlog]

Looks like this would be fixed by Bug 1488740

Depends on: 1488740

(In reply to Irakli Gozalishvili [:irakli] [:gozala] [@gozala] from comment #3)

Is this testcase correct? I'm getting similar "failed to fetch" errors on Chrome.

Depends on what's running on that address and if Access-Control-Allow-Origin headers are set to respond to https://gozala.io/ if they are set on Chrome it does not fail on my end.

I tried to attach a Python3 script to setup such a localhost server. The tests pass on Firefox 79, Firefox Nightly and Chrome. https://github.com/Gozala/loopback-worker/tree/master/docs does not have any service-worker.html file though. Is this bug fixed?

(In reply to Jonathan Kingston [:jkt] (not really reading NI, email if needed) from comment #4)

Looks like this would be fixed by Bug 1488740

That one should be fixed now, but the test are already passing in release for me.

Flags: needinfo?(rFobic)

Clear a needinfo that is pending on an inactive user.

Inactive users most likely will not respond; if the missing information is essential and cannot be collected another way, the bug maybe should be closed as INCOMPLETE.

For more information, please visit auto_nag documentation.

Flags: needinfo?(rFobic)
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: