Once CORS header wildcard support is added in bug 1309358, revert the webcompat fix made in bug 1559795.
Categories
(Core :: DOM: Networking, defect, P2)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr60 | --- | unaffected |
firefox-esr68 | --- | unaffected |
firefox68 | --- | unaffected |
firefox69 | + | fixed |
firefox70 | + | fixed |
People
(Reporter: twisniewski, Assigned: kershaw)
References
Details
(Keywords: regression, Whiteboard: [necko-triaged])
Attachments
(1 file)
47 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-beta+
|
Details | Review |
In bug 1559795 we had to issue a quick-fix for webcompat by temporarily removing a 128-character header length check that the CORS spec now mandates.
That quick-fix should become obsolete once the proper fix in bug 1309358 lands, whereupon we should revert the quick-fix to align with the spec for extra security.
Note also that the quick-fix may end up in the ESR release, at which point we should also consider reverting it there as well in favor of the wildcard support.
Comment 1•6 years ago
|
||
I'm setting this to P2 since the dependency is P2 and we regressed slightly on security here.
Assignee | ||
Updated•6 years ago
|
Assignee | ||
Comment 2•6 years ago
|
||
Comment 4•6 years ago
|
||
bugherder |
Updated•6 years ago
|
Assignee | ||
Comment 5•5 years ago
|
||
Comment on attachment 9078398 [details]
Bug 1564175 - Revert the quick fix from bug 1559795
Beta/Release Uplift Approval Request
- User impact if declined: This patch is about adding a check to header length. We might have a problem if the server returns a long header.
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): This patch just adds a simple check to header length.
- String changes made/needed: none
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: If bug 1309358 is uplifted, we really need this one to prevent any possible issues that caused by the long CORS header string.
- User impact if declined: Have potential issues caused by long header string.
- Fix Landed on Version: 70
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): This patch just adds a simple check to header length.
- String or UUID changes made by this patch: none
Comment 6•5 years ago
|
||
Bugbug thinks this bug is a regression, but please revert this change in case of error.
Updated•5 years ago
|
Comment 7•5 years ago
|
||
Comment on attachment 9078398 [details]
Bug 1564175 - Revert the quick fix from bug 1559795
Obsolete change with bug 1309358. Approved for 69.0b9 and 68.1esr.
Comment 8•5 years ago
|
||
bugherder uplift |
Comment 9•5 years ago
|
||
Whoops, bug 1559795 never landed on ESR68.
Updated•5 years ago
|
Description
•