Closed Bug 1595652 Opened 5 years ago Closed 5 years ago

Blocked by X-Frame-Options Policy (extensions)

Categories

(Core :: DOM: Security, defect, P1)

Product:
Core
Component:
DOM: Security
Version:
72 Branch
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla72
Tracking Flags:
Tracking Status
firefox72 --- verified

People

(Reporter: remtanmajitenshi, Assigned: ckerschb)

References

(Regression)

Details

(Keywords: regression, Whiteboard: [domsecurity-active])

Attachments

(2 files)

Bug 1595652: Exempt loads triggered by an extension from XFO. r=jkt,mixedpuppy
47 bytes, text/x-phabricator-request
Details | Review
E3tfjc9ZpS.mp4
552.79 KB, video/mp4
Details

STR:

  1. Install https://addons.mozilla.org/en-US/firefox/addon/to-google-translate/
  2. Open extension popup

AR:

Blocked by X-Frame-Options Policy
An error occurred during a connection to translate.google.com.
Nightly prevented this page from loading in this context because the page has an X-Frame-Options policy that disallows it.

ER:
Extension popup should work.

Product: Core → WebExtensions
Version: 72 Branch → unspecified

It is 72 branch, regressed by Bug 1584998. Same as Bug 1593321 but not fixed with it.

Component: General → DOM: Security
Product: WebExtensions → Core
Version: unspecified → 72 Branch
Assignee: nobody → ckerschb
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Priority: -- → P1
Whiteboard: [domsecurity-active]
Attachment #9110260 - Attachment description: Bug 1595652: Exempt loads triggered by an extension from XFO. r=jkt → Bug 1595652: Exempt loads triggered by an extension from XFO. r=jkt,mixedpuppy
Pushed by btara@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/2ac103491660
Exempt loads triggered by an extension from XFO. r=jkt,mixedpuppy

https://hg.mozilla.org/mozilla-central/rev/2ac103491660

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox72: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla72
Flags: qe-verify+
Regressions: 1619338

Reproduced the initial issue using an old Nightly build 72.0a1 (build id: 20191111100226) using Windows 10.
Verified - Fixed in Nightly 72.0a1 (2029-11-22) and latest Nightly 76.0a1 (build id: 20200403063228) using Windows 10 and Ubuntu 18.04.

Status: RESOLVED → VERIFIED
status-firefox72: fixedverified
Flags: qe-verify+
Keywords: regression
Regressed by: 1584998
See Also: → 1593321
See Also: → 1629436
Attached video E3tfjc9ZpS.mp4

But this works only for the first load. If you navigate, it will not work anymore.

Flags: needinfo?(rob)

@kernp Please file a new bug and link to this bug.

Flags: needinfo?(rob)

(In reply to Qwerty from comment #1)

It is 72 branch, regressed by Bug 1584998. Same as Bug 1593321 but not fixed with it.

I just tested on Firefox 71 and XFO wasn't bypassed either. Could you share the reproduction steps to show that XFO can be bypassed in Firefox 71 but fails on Firefox 72?

I'd like to explore the possibility to remove the ability to automatically bypass XFO in extensions, and fall back to requiring extensions to opt in via the webRequest API instead, as you're already doing in your add-on.

Flags: needinfo?(remtanmajitenshi)

(In reply to Rob Wu [:robwu] from comment #9)

I just tested on Firefox 71 and XFO wasn't bypassed either. Could you share the reproduction steps to show that XFO can be bypassed in Firefox 71 but fails on Firefox 72?

Same as in bug description. Installing extension (Version 4.0.6 works) and opening popup. I used mozregression and it pointed me to bug 1584998 back then and today.

INFO : Narrowed inbound regression window from [cd45360f, d7c5b5d3] (3 builds) to [cd45360f, d5bee3db] (2 builds) (~1 steps left)
DEBUG : Starting merge handling...
DEBUG : Using url: https://hg.mozilla.org/integration/autoland/json-pushes?changeset=d5bee3db1b4f0ce5ff876f08230336022ae7d8ab&full=1
DEBUG : Found commit message:
Bug 1584998: Make x-frame-options work with fission enabled. r=jkt,farre,johannh,flod
Differential Revision: https://phabricator.services.mozilla.com/D50588
DEBUG : Did not find a branch, checking all integration branches
INFO : The bisection is done.
INFO : Stopped

as you're already doing in your add-on.

It's not my extension btw.

Flags: needinfo?(remtanmajitenshi)

I can reproduce in that version with fission.autostart = true,
but with fission.autostart = false (default on non-Nightly), it is not reproducible.

Bug 1584998 fixed an actual bug; XFO on regular websites didn't work either (e.g. try to load www.mozilla.org on example.com via the devtools).

(In reply to Rob Wu [:robwu] from comment #9)

I'd like to explore the possibility to remove the ability to automatically bypass XFO in extensions, and fall back to requiring extensions to opt in via the webRequest API instead

So, this fix is for me not really useful and if you want to remove it, i don't have a problem with it.
Because i'm already removing the x-frame-options header from the response (like what the other add-ons are doing).

Thanks. The patch has been reverted in 77 - https://hg.mozilla.org/mozilla-central/rev/a9df87dcb391

Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: