HTTP Request from webextension background script stopped working
Categories
(WebExtensions :: Request Handling, defect)
Tracking
(firefox-esr68 unaffected, firefox72 unaffected, firefox73 verified, firefox74 verified)
| Tracking | Status | |
|---|---|---|
| firefox-esr68 | --- | unaffected |
| firefox72 | --- | unaffected |
| firefox73 | --- | verified |
| firefox74 | --- | verified |
People
(Reporter: altech123159, Assigned: evilpie)
References
(Regression)
Details
(Keywords: regression)
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:73.0) Gecko/20100101 Firefox/73.0
Steps to reproduce:
Since some nightly update all http request made by my extension using XMLHttpRequest stopped working.
It work in nightly 2019-12-01 but not in any of the last 2/3 weeks builds.
Actual results:
In the debugger i can see that every request return a CORS error:
header CORS “Access-Control-Allow-Origin” does not correspond to “null”
In the request header the Origin is set to null
Expected results:
The request Origin header should be "moz-extension://extensionuuid"
Http request from background script should work
|
||
Comment 1•4 years ago
|
||
Can you find the exact regression range?
https://mozilla.github.io/mozregression/quickstart.html
Alternatively, attach or link to the extension and include steps to reproduce the issue so someone else can test.
I found it:
The extension is not public but i'm using this code to make the http request:
function getNewMessages(callback) {
let httpRequest = new XMLHttpRequest();
httpRequest.open("GET", "https://pathtoapi", true);
httpRequest.onload = function () {
callback(httpRequest.response);
};
httpRequest.setRequestHeader('Authorization', 'Basic ' + btoa(username + ":" + password));
httpRequest.send(null);
}
|
||
Comment 3•4 years ago
|
||
That's from bug 1405971, Tom can you please check what's happening?
Would it perhaps make sense to keep sending the origin from background pages, but not content scripts?
|
Assignee | |
Comment 4•4 years ago
|
||
(In reply to :Tomislav Jovanovic :zombie from comment #3)
That's from bug 1405971, Tom can you please check what's happening?
Sure, we are stripping the moz-extension URL from the Origin header and replacing it with null. This makes the CORS request fail.
Would it perhaps make sense to keep sending the origin from background pages, but not content scripts?
I don't see why we should allow leaking the UUID from the background page. The correct fix for this is to add the right host permissions so that CORS isn't required.
Thank you, I set the host permission and now is working fine.
However in my server i set "Access-Control-Allow-Origin: *" shouldn't it work even if the Origin is "null"?
From the debugger in the OPTIONs requests i see that the server reply with "Access-Control-Allow-Origin: null" in the header
|
|
Assignee | |
Comment 6•4 years ago
|
||
Ah, I think we might be running into some problem here because you are using Authorization. Access-Control-Allow-Origin: * should work, but I think Access-Control-Allow-Origin: null might not work, because we are comparing the wrong Origin value here
Maybe we should be also change nsContentUtils::GetASCIIOrigin.
|
||
Updated•4 years ago
|
|
||
Updated•4 years ago
|
|
||
Comment 8•4 years ago
|
||
Updating status to NEW as it has already been confirmed in the duplicate bug 1607936.
|
|
Assignee | |
Comment 9•4 years ago
|
||
I think 73.0b4 is out, which should have resolved this issue, by backing out the changes in bug 1405971. I am going to make sure the next try at implementing this doesn't cause this issue.
|
||
Comment 10•4 years ago
|
||
Fixed by backout.
|
|
||
Comment 11•4 years ago
|
||
Verified fixed on Windows 10 64-bit, Ubuntu 18.04 LTS and macOS Catalina 10.15 on FF 73.0b5 (20200115020958) and FF 74.0a1 (20200114214307). The Origin header in a request made used an extension shows values according to the template: "moz-extension://extensionuuid".
Description
•