Disable Pref respect_document_nosniff for Firefox 70
Categories
(Core :: DOM: Security, enhancement, P1)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr60 | --- | unaffected |
| firefox-esr68 | --- | unaffected |
| firefox69 | --- | unaffected |
| firefox70 | + | fixed |
| firefox71 | --- | fixed |
People
(Reporter: sstreich, Assigned: sstreich)
References
Details
(Whiteboard: [domsecurity-active])
Attachments
(1 file)
|
47 bytes,
text/x-phabricator-request
|
lizzard
:
approval-mozilla-beta+
|
Details | Review |
Firefox 70 was supposed to support X-Content-Type-Options Nosniff for Document Loads by default. During the 71 cycle we had to change way we handle nosniff to get compatible with chrome, which means there is even less time to test out what impact the new implementation has, given that the old one already broke some pages.
So instead of changing the way nosniff is handled from 70 to 71 or uplifting the new code to 70 with no proper time out in the wild - we should disable nosniff for the 70 cycle and enable it with 71.
|
Assignee | |
Comment 1•4 years ago
|
||
|
||
Updated•4 years ago
|
|
|
||
Comment 2•4 years ago
|
||
[Tracking Requested - why for this release]:
It seems there are some web compatibility issues with XCTO nosniff for top-level navigations. Even though we think Firefox exhibits the correct behavior we want to give pages time to fix on their end - e.g. see Bug 1580607. Hence we are going to flip the pref and disable the Feature within FF70 but plan to ship in FF71.
|
|
Assignee | |
Updated•4 years ago
|
Pushed by dvarga@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/7978f68a5355
Flip Pref for XTCO-NoSniff and update test to match r=ckerschb
|
||
Comment 4•4 years ago
|
||
Backed out changeset 7978f68a5355 (bug 1585055) for multiple mochitest-plain-chunked failures
Failure log: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=269305318&repo=autoland&lineNumber=6185
and : https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=269314064&repo=autoland&lineNumber=26825
Backout: https://hg.mozilla.org/integration/autoland/rev/e9322fe03f361013b4dfcf72e134a05d0ac34252
|
|
Assignee | |
Comment 5•4 years ago
|
||
Fixed the Broken Test 🤞
Have a green try https://treeherder.mozilla.org/#/jobs?repo=try&revision=bfe7f1c8c8acb2914464e3efaee2683149b96d8a
So setting chekin-needed again
Pushed by btara@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/eb8cc69904ed
Flip Pref for XTCO-NoSniff and update test to match r=ckerschb
|
||
Comment 7•4 years ago
|
||
| bugherder | ||
|
||
Comment 8•4 years ago
|
||
Please nominate this for Beta approval when you get a chance.
|
|
Assignee | |
Comment 9•4 years ago
|
||
Comment on attachment 9097409 [details]
Bug 1585055 - Flip Pref for XTCO-NoSniff and update test to match r=ckerschb
Beta/Release Uplift Approval Request
- User impact if declined: We're currently seeing some Problems with No-sniff in the wild, where some Pages are enabling No-sniff but not send a Content-Type.
If a user in Beta currently visits one of those Sites they will be prompted with a Download Prompt instead of a Page load.
Examples are 1580607 and 1582671. - Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): The risk of adding this Patch is low, as we only flip the Default Setting and not touch any code.
- String changes made/needed:
Comment on attachment 9097409 [details]
Bug 1585055 - Flip Pref for XTCO-NoSniff and update test to match r=ckerschb
Help with webcompat, let's uplift.
|
||
Comment 11•4 years ago
|
||
This conflicts because bug 1581512 is missing on v70. Please also nominate that bug for uplift or provide a patch which applies to beta.
|
|
Assignee | |
Comment 12•4 years ago
|
||
Hey! I've nominated 1581512 for uplift :)
|
|
||
Comment 13•4 years ago
|
||
(In reply to Sebastian Streich [:sstreich] from comment #12)
Hey! I've nominated 1581512 for uplift :)
It seems Basti already took care of it - thanks Basti.
|
||
Updated•4 years ago
|
|
|
||
Comment 14•4 years ago
|
||
| bugherder uplift | ||
Description
•