[wpt-sync] Sync PR 17200 - Prevent leaking Sec- Request Headers on HTTPS Downgrade Redirects.
Categories
(Core :: DOM: Networking, defect, P4)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox70 | --- | fixed |
People
(Reporter: mozilla.org, Unassigned)
References
()
Details
(Whiteboard: [wptsync downstream][necko-triaged] )
Sync web-platform-tests PR 17200 into mozilla-central (this bug is closed when the sync is complete).
PR: https://github.com/web-platform-tests/wpt/pull/17200
Details from upstream follow.
Brandon Maslen <brandm@microsoft.com> wrote:
Prevent leaking Sec- Request Headers on HTTPS Downgrade Redirects.
Currently various Sec- headers are added through the codebase and correctly check if the request target url is trustworthy. If the destination is not trustworthy then the headers are not added. However in the event a request redirects from a trustworthy to non-trustworthy destination, such as https => http, there may be pre-existing headers present. Since these headers would not have been added to the non-trustworthy request we need to remove these extra headers from the request.
This change adds a helper call to the UrlLoader class in the network service to remove any request headers prefixed with "sec-" when a downgrade redirect is detected. In addition to this unit test cases for the helper and end to end WPT cases have been added to validate the scenario and prevent future regressions.
Bug: 964053
Change-Id: I109c3ec1b3a05f6341c3c4adbd1a8da1274fd0d6
Reviewed-on: https://chromium-review.googlesource.com/1647354
WPT-Export-Revision: 5586168722e4d66ca3049f742f90d37d49299cbd
|
Assignee | |
Updated•5 years ago
|
|
|
Assignee | |
Comment 1•5 years ago
|
||
Pushed to try https://treeherder.mozilla.org/#/jobs?repo=try&revision=3fa65ee7e5faee587c768e1bc6db023b505fbf5d
|
||
Updated•5 years ago
|
|
|
Assignee | |
Updated•5 years ago
|
|
||
Updated•5 years ago
|
|
|
Assignee | |
Comment 2•5 years ago
|
||
Pushed to try https://treeherder.mozilla.org/#/jobs?repo=try&revision=5f5d83374df9597aafa3d8e762fb134e70655d4b
|
|
Assignee | |
Comment 3•5 years ago
|
||
Pushed to try (stability) https://treeherder.mozilla.org/#/jobs?repo=try&revision=14cd3bb0938e6867ae2af5c83afc1f97bf6e4b3f
|
|
Assignee | |
Comment 4•5 years ago
|
||
Failed to get results from try push
|
|
Assignee | |
Comment 5•5 years ago
|
||
Pushed to try https://treeherder.mozilla.org/#/jobs?repo=try&revision=a85d4c58113b232349e8d7ae88b7e2467fe942b8
|
|
Assignee | |
Comment 6•5 years ago
|
||
Pushed to try (stability) https://treeherder.mozilla.org/#/jobs?repo=try&revision=a39868f8510da4a7ace55be3bc3572e87a1a8109
Pushed by james@hoppipolla.co.uk: https://hg.mozilla.org/integration/mozilla-inbound/rev/60e39993bb94 [wpt PR 17200] - Prevent leaking Sec-CH-/Sec-Fetch- Request Headers on HTTPS Downgrade Redirects., a=testonly
|
||
Comment 8•5 years ago
|
||
| bugherder | ||
Description
•