Closed Bug 1606604 Opened 5 years ago Closed 4 years ago

Build the remote agent on all release channels

Categories

(Remote Protocol :: Agent, task, P3)

task

Tracking

(firefox86 fixed)

RESOLVED FIXED
86 Branch
Tracking Status
firefox86 --- fixed

People

(Reporter: ato, Assigned: whimboo)

References

(Regressed 1 open bug)

Details

(Whiteboard: [puppeteer-beta2-mvp])

Attachments

(2 files)

We currently only build the remote agent on the Nightly release channel. We should expand to target all branches.

The remote agent component will still remained preffed-off for other release channels than Nightly.

Whiteboard: [puppeteer-beta]
Depends on: 1603930
Priority: -- → P2
Whiteboard: [puppeteer-beta] → [puppeteer-beta-mvp]
Priority: P2 → P3
Whiteboard: [puppeteer-beta-mvp] → [puppeteer-beta-reserve]
Whiteboard: [puppeteer-beta-reserve] → [puppeteer-beta2-mvp]
Depends on: 1676803

Hi Daniel. We may want to enable building the Remote Agent by default for beta/release soon. As such we wonder if we would need another security review beside the one we already got for Nightly (bug 1542229) a while ago. Thanks!

Flags: needinfo?(dveditz)

Is the Marionette-like visual indicator implemented? That's a requirement for Release.

Have you changed the architecture or the commands?

Flags: needinfo?(dveditz)

(In reply to Daniel Veditz [:dveditz] from comment #2)

Is the Marionette-like visual indicator implemented? That's a requirement for Release.

Yes, both Marionette and the Remote Agent share the same visual cue when they are enabled.

Have you changed the architecture or the commands?

There were the following two changes:

  1. Given that we want to allow users of the upcoming Selenium 4 to opt-in for the Remote Agent via webdriver capabilities (see the meta bug 1669746) we had to separate the handling of the visual cue for both of them. Mainly because of a crash when both were enabled at the same time. This work was done via bug 1669698. It means we now have dedicated observer notifications for Marionette and Remote Agent, which both are used to set the visual cue.

  2. To stay in par with Chrome I removed the --remote-debugger command line argument (bug 1669230). Now only --remote-debugger-port can be used, to set the port of the HTTP connection for localhost, which on connection will be upgraded to a websocket connection.

Otherwise lots of work has been put into the general API support for CDP. A lot of new commands and events have been implemented. When you ask for commands, do you also mean those? I don't think because of the constant development it would cause lots of security reviews, but I thought it would be good to ask.

Flags: needinfo?(dveditz)

both Marionette and the Remote Agent share the same visual cue when they are enabled.

Great

Now only --remote-debugger-port can be used, to set the port of the HTTP connection for localhost, which on connection will be upgraded to a websocket connection.

But it's still a required command-line option without which the remote agent is not started, right? IOW, if you define a port we understand that to mean you want Firefox to use that port. That sounds fine: it's still an explicit opt-in action people have to take, and that a normal browsing session started by clicking a desktop icon or opening a .HTML file with the default browser won't have the remote agent enabled (ignore people who boobytrap their shortcut links or mess with the windows registry to add params -- that's still opting in).

If so that all sounds fine.

When you ask for commands, do you also mean those?

Yeah, I did, but maybe I'm sorry I asked :-) There are two main types of worries there:

  1. Is a given command itself dangerous or bad for privacy? Well, yes, they probably all are by design given the kind of control this feature is designed for. If we stick with "standard" commands implemented by other browsers also at least we know there will be a chance for lots of feedback on commands that go too far.
  2. Is the implementation of a command a security problem? It's not hard to imagine an otherwise-acceptable command being implemented in a way that does dangerous things with untrusted input, for example. Hopefully regular code review catches this kind of issue because I don't have the bandwidth for security code review. But it might be worth spending the time looking over the list and flagging some of the interesting-looking ones with potential issues for further follow-up.

This kind of effort doesn't need to be a "blocking" issue. With respect to 1) I'd be mostly interested in the Firefox-only commands and would mostly trust the larger community to find the rough edges with the CDP-defined ones. Effort around 2) would be ongoing as new commands are implemented. Might be a good idea to start with the current list though.

Flags: needinfo?(dveditz)

(In reply to Daniel Veditz [:dveditz] from comment #4)

But it's still a required command-line option without which the remote agent is not started, right? IOW, if you define a port we understand that to mean you want Firefox to use that port. That sounds fine: it's still an explicit opt-in action people have to take, and that a normal browsing session started by clicking a desktop icon or opening a .HTML file with the default browser won't have the remote agent enabled (ignore people who boobytrap their shortcut links or mess with the windows registry to add params -- that's still opting in).

That is correct. You have to opt-in via the command line option. It's also possible via the preference, but not only by just flipping the value of remote.enabled (similar to marionette.enabled) to turn it on/off in the same session. The preference is only evaluated during startup.

  1. Is a given command itself dangerous or bad for privacy? Well, yes, they probably all are by design given the kind of control this feature is designed for. If we stick with "standard" commands implemented by other browsers also at least we know there will be a chance for lots of feedback on commands that go too far.

Given that the Remote Agent (Protocol) implements parts of CDP (Chrome DevTools Protocol) the concerns would be similar to the Firefox Devtools protocol. Yes, it's expected that there are APIs to get/set sensitive data.

  1. Is the implementation of a command a security problem? It's not hard to imagine an otherwise-acceptable command being implemented in a way that does dangerous things with untrusted input, for example. Hopefully regular code review catches this kind of issue because I don't have the bandwidth for security code review. But it might be worth spending the time looking over the list and flagging some of the interesting-looking ones with potential issues for further follow-up.

The commands we have implemented do in nearly all the cases type checks, given that there is no schema validation in-place. Even if something would be wrong here, other commands like Runtime.evaluate and Runtime.callFunctionOn basically allow to run arbitrary JavaScript code in the content process's sandbox. But all that already passed the initial security review.

This kind of effort doesn't need to be a "blocking" issue. With respect to 1) I'd be mostly interested in the Firefox-only commands and would mostly trust the larger community to find the rough edges with the CDP-defined ones. Effort around 2) would be ongoing as new commands are implemented. Might be a good idea to start with the current list though.

Note that for 1) we do not have Firefox-only commands. What we implement is what CDP defines. Means there is nothing added on top of it. In regards of 2) it would be good to know if we would have to ask for sec-review for each and every command? It would cause a lot of extra turnaround time, that we would have to keep in mind.

Thanks for your replies.

Assignee: nobody → hskupin
Status: NEW → ASSIGNED

With this patch applied there are unexpected passes of cookie tests for Firefox beta builds. The underlying reason here is that for Nightly we run with lax by default enabled, which is an experimental feature and enabled by default. But that is not available on beta.

It also means that the cookie tests in Puppeteer unit tests aren't written for lax by default enabled. As such we will have to wait until that has been taken into account. I will inform Mathias.

(In reply to Henrik Skupin (:whimboo) [⌚️UTC+2] from comment #7)

With this patch applied there are unexpected passes of cookie tests for Firefox beta builds. The underlying reason here is that for Nightly we run with lax by default enabled, which is an experimental feature and enabled by default. But that is not available on beta.

It also means that the cookie tests in Puppeteer unit tests aren't written for lax by default enabled. As such we will have to wait until that has been taken into account. I will inform Mathias.

SameSite=lax is enabled by default in Chrome 85+: https://www.chromestatus.com/feature/5088147346030592 The latest Puppeteer already uses 85+, so it'd be surprising if our tests would be incompatible with it. Which test in particular are you talking about?

Relevant Puppeteer roll commits/test changes:

Interesting. Since that has been enabled we haven't had a look at our cookie code. But as it looks like the failure happens because we always return "sameSite\": \"Lax\ as part of the cookie data even when lax is default. So I assume that CDP doesn't return this property for the default setting.

Depends on: 1683617

So that's indeed the case here. I filed bug 1683617 to get this fixed in our implementation.

Blocks: 1669746
No longer depends on: 1683617

The behavior of CDP is actually more complicated. As such we will go ahead and simply disable lax by default for now, and work on bug 1683617 once we have the necessary information and time.

Pushed by hskupin@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/8c6c88dc5956 [remote] Disable experimental SameSite=Lax by default. r=remote-protocol-reviewers,jgraham https://hg.mozilla.org/integration/autoland/rev/7357db102337 [remote] Build the remote agent on all release channels. r=webdriver-reviewers,remote-protocol-reviewers,firefox-build-system-reviewers,jgraham,mhentges

It's failing because I missed to also remove the milestone from the decorator. Will fix it right away.

Flags: needinfo?(hskupin)
Pushed by hskupin@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/213adb1c4163 [remote] Disable experimental SameSite=Lax by default. r=remote-protocol-reviewers,jgraham https://hg.mozilla.org/integration/autoland/rev/d0a1a16b7aa0 [remote] Build the remote agent on all release channels. r=webdriver-reviewers,remote-protocol-reviewers,firefox-build-system-reviewers,jgraham,mhentges
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → 86 Branch
Regressions: 1684035
Regressions: 1684042
Depends on: 1693058
Regressions: 1708707
No longer regressions: 1708707
Regressions: 1708707
See Also: → 1753997
Depends on: 1759994
No longer depends on: 1759994
Depends on: 1766802
No longer depends on: 1766802
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: