Closed Bug 1563747 Opened 6 years ago Closed 6 years ago

Starting navigating to a cross-origin download causes same-origin XHRs to be sent unauthenticated

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Version:
69 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: me, Unassigned, NeedInfo)

References

Details

Attachments

(1 file)

Fairly minimal test case exhibiting the bug (simple Python web server)
6.89 KB, text/x-python
Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0

Steps to reproduce:

Real-world scenario:

  1. Use Fastmail’s webmail client.
  2. Have an email with multiple attachments.
  3. Click the “Download all N attachments” link.

I have attached a simple Python HTTP server that demonstrates the issue more technically. Check that I haven’t written anything nefarious in it, then run it and open http://127.0.0.1:5089 in your web browser. It depends on the hostname localhost working, so that it can use that as cross-origin from 127.0.0.1.

Actual results:

The download starts, but then the user is taken to the login screen with the banner “Your session has expired due to inactivity. Please log in to continue.” shown, because after essentially performing location.href = 'https://www.fastmailusercontent.com/path/to/download'; (a cross-origin URL), the webmail client made an API request (same-origin), which the browser sent with no cookies (suggesting an anonymous but same-origin request), and so the server responded 401 Unauthorized, which the client interpreted to mean that the session had expired, which is the usual meaning of that response.

After a short time, the potential navigation event completes, with the browser deciding that it’s a download instead, and things go back to normal.

I was concerned this could be a security bug, allowing origin spoofing, but after carefully checking the symptoms I could observe, I say that it does not appear to be: it seems to just cause same-origin requests to be sent anonymously for a while, which breaks things but is secure. But I suggest that whoever ends up fixing it check that I am actually correct.

Expected results:

Everything should have chugged along merrily, with all AJAX requests being authenticated throughout the negotiation of the cross-origin download.

Hi @Chris Morgan, I've tried this issue on a Windows 10 machine using FF nightly 70.0a1 and cannot reproduce it. Further I will set a component, if isn't the right one please fell free to change it.
Thanks.

Component: Untriaged → Networking: HTTP
Product: Firefox → Core

Adding Nika and Boris.

(Not 100% sure about the component)

Component: Networking: HTTP → DOM: Security
See Also: → 1210413

I'm not sure I understand that attached testcase...

It looks like it's continuously sending requests to both http://127.0.0.1:5089 and http://localhost:5089 and logging the responses, right? The same-origin (127.0.0.1) requests keep coming back with "the cookies were sent" while the cross-origin ones keep coming back wioth NetworkError, as expected, since fetch() cross-origin without CORS is allowed.

When I click the various buttons the observed behavior is still the same, except now sometimes the same-origin response ends up with a NetworkError if it's in-flight when navigation starts and cancels all pending network activity.

Am I missing something? I'd really appreciate specific steps to reproduce (what I should click in what order, what I should see if the bug reproduces, what I should see if the bug does not reproduce) with the attached python testcase.

Flags: needinfo?(me)

We can re-open this if we get additional information

Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: