Closed Bug 1564175 Opened 4 months ago Closed 4 months ago

Once CORS header wildcard support is added in bug 1309358, revert the webcompat fix made in bug 1559795.

Categories

(Core :: DOM: Networking, defect, P2)

defect

Tracking

()

RESOLVED FIXED
mozilla70
Tracking Status
firefox-esr60 --- unaffected
firefox-esr68 --- unaffected
firefox68 --- unaffected
firefox69 + fixed
firefox70 + fixed

People

(Reporter: twisniewski, Assigned: kershaw)

References

Details

(Keywords: regression, Whiteboard: [necko-triaged])

Attachments

(1 file)

In bug 1559795 we had to issue a quick-fix for webcompat by temporarily removing a 128-character header length check that the CORS spec now mandates.

That quick-fix should become obsolete once the proper fix in bug 1309358 lands, whereupon we should revert the quick-fix to align with the spec for extra security.

Note also that the quick-fix may end up in the ESR release, at which point we should also consider reverting it there as well in favor of the wildcard support.

I'm setting this to P2 since the dependency is P2 and we regressed slightly on security here.

Priority: -- → P2
Assignee: nobody → kershaw
Whiteboard: [necko-triaged]
Status: NEW → RESOLVED
Closed: 4 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla70

Comment on attachment 9078398 [details]
Bug 1564175 - Revert the quick fix from bug 1559795

Beta/Release Uplift Approval Request

  • User impact if declined: This patch is about adding a check to header length. We might have a problem if the server returns a long header.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): This patch just adds a simple check to header length.
  • String changes made/needed: none

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: If bug 1309358 is uplifted, we really need this one to prevent any possible issues that caused by the long CORS header string.
  • User impact if declined: Have potential issues caused by long header string.
  • Fix Landed on Version: 70
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): This patch just adds a simple check to header length.
  • String or UUID changes made by this patch: none
Attachment #9078398 - Flags: approval-mozilla-esr68?
Attachment #9078398 - Flags: approval-mozilla-beta?

Bugbug thinks this bug is a regression, but please revert this change in case of error.

Keywords: regression

Comment on attachment 9078398 [details]
Bug 1564175 - Revert the quick fix from bug 1559795

Obsolete change with bug 1309358. Approved for 69.0b9 and 68.1esr.

Attachment #9078398 - Flags: approval-mozilla-esr68?
Attachment #9078398 - Flags: approval-mozilla-esr68+
Attachment #9078398 - Flags: approval-mozilla-beta?
Attachment #9078398 - Flags: approval-mozilla-beta+
Attachment #9078398 - Flags: approval-mozilla-esr68+
You need to log in before you can comment on or make changes to this bug.