Once CORS header wildcard support is added in bug 1309358, revert the webcompat fix made in bug 1559795.
Categories
(Core :: DOM: Networking, defect, P2)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr60 | --- | unaffected |
| firefox-esr68 | --- | unaffected |
| firefox68 | --- | unaffected |
| firefox69 | + | fixed |
| firefox70 | + | fixed |
People
(Reporter: twisniewski, Assigned: kershaw)
References
Details
(Keywords: regression, Whiteboard: [necko-triaged])
Attachments
(1 file)
|
47 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-beta+
|
Details | Review |
In bug 1559795 we had to issue a quick-fix for webcompat by temporarily removing a 128-character header length check that the CORS spec now mandates.
That quick-fix should become obsolete once the proper fix in bug 1309358 lands, whereupon we should revert the quick-fix to align with the spec for extra security.
Note also that the quick-fix may end up in the ESR release, at which point we should also consider reverting it there as well in favor of the wildcard support.
|
||
Comment 1•5 years ago
|
||
I'm setting this to P2 since the dependency is P2 and we regressed slightly on security here.
|
Assignee | |
Updated•5 years ago
|
|
|
Assignee | |
Comment 2•5 years ago
|
||
Pushed by kjang@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/4a732dd8dc93 Revert the quick fix from bug 1559795 r=ckerschb
|
||
Comment 4•5 years ago
|
||
| bugherder | ||
|
||
Updated•5 years ago
|
|
|
Assignee | |
Comment 5•5 years ago
|
||
Comment on attachment 9078398 [details]
Bug 1564175 - Revert the quick fix from bug 1559795
Beta/Release Uplift Approval Request
- User impact if declined: This patch is about adding a check to header length. We might have a problem if the server returns a long header.
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): This patch just adds a simple check to header length.
- String changes made/needed: none
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: If bug 1309358 is uplifted, we really need this one to prevent any possible issues that caused by the long CORS header string.
- User impact if declined: Have potential issues caused by long header string.
- Fix Landed on Version: 70
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): This patch just adds a simple check to header length.
- String or UUID changes made by this patch: none
|
||
Comment 6•5 years ago
|
||
Bugbug thinks this bug is a regression, but please revert this change in case of error.
|
|
||
Updated•5 years ago
|
|
|
||
Comment 7•5 years ago
|
||
Comment on attachment 9078398 [details]
Bug 1564175 - Revert the quick fix from bug 1559795
Obsolete change with bug 1309358. Approved for 69.0b9 and 68.1esr.
|
|
||
Comment 8•5 years ago
|
||
| bugherder uplift | ||
|
|
||
Comment 9•5 years ago
|
||
Whoops, bug 1559795 never landed on ESR68.
|
|
||
Updated•5 years ago
|
Description
•