Closed Bug 1607154 Opened 10 months ago Closed 10 months ago

HTTP Request from webextension background script stopped working


(WebExtensions :: Request Handling, defect)

73 Branch
Not set


(firefox-esr68 unaffected, firefox72 unaffected, firefox73 verified, firefox74 verified)

Tracking Status
firefox-esr68 --- unaffected
firefox72 --- unaffected
firefox73 --- verified
firefox74 --- verified


(Reporter: altech123159, Assigned: evilpie)




(Keywords: regression)

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:73.0) Gecko/20100101 Firefox/73.0

Steps to reproduce:

Since some nightly update all http request made by my extension using XMLHttpRequest stopped working.
It work in nightly 2019-12-01 but not in any of the last 2/3 weeks builds.

Actual results:

In the debugger i can see that every request return a CORS error:
header CORS “Access-Control-Allow-Origin” does not correspond to “null”

In the request header the Origin is set to null

Expected results:

The request Origin header should be "moz-extension://extensionuuid"

Http request from background script should work

Can you find the exact regression range?

Alternatively, attach or link to the extension and include steps to reproduce the issue so someone else can test.

Has Regression Range: --- → no
Component: Untriaged → Request Handling
Flags: needinfo?(altech123159)
Keywords: regression
Product: Firefox → WebExtensions

I found it:

The extension is not public but i'm using this code to make the http request:

function getNewMessages(callback) {
let httpRequest = new XMLHttpRequest();"GET", "https://pathtoapi", true);
httpRequest.onload = function () {
httpRequest.setRequestHeader('Authorization', 'Basic ' + btoa(username + ":" + password));

Flags: needinfo?(altech123159)

That's from bug 1405971, Tom can you please check what's happening?

Would it perhaps make sense to keep sending the origin from background pages, but not content scripts?

Flags: needinfo?(evilpies)
Has Regression Range: no → yes
Regressed by: 1405971

(In reply to :Tomislav Jovanovic :zombie from comment #3)

That's from bug 1405971, Tom can you please check what's happening?

Sure, we are stripping the moz-extension URL from the Origin header and replacing it with null. This makes the CORS request fail.

Would it perhaps make sense to keep sending the origin from background pages, but not content scripts?

I don't see why we should allow leaking the UUID from the background page. The correct fix for this is to add the right host permissions so that CORS isn't required.

Has Regression Range: yes → no
Flags: needinfo?(evilpies)
No longer regressed by: 1405971

Thank you, I set the host permission and now is working fine.
However in my server i set "Access-Control-Allow-Origin: *" shouldn't it work even if the Origin is "null"?
From the debugger in the OPTIONs requests i see that the server reply with "Access-Control-Allow-Origin: null" in the header

Regressed by: 1405971

Ah, I think we might be running into some problem here because you are using Authorization. Access-Control-Allow-Origin: * should work, but I think Access-Control-Allow-Origin: null might not work, because we are comparing the wrong Origin value here
Maybe we should be also change nsContentUtils::GetASCIIOrigin.

Duplicate of this bug: 1607936

Updating status to NEW as it has already been confirmed in the duplicate bug 1607936.

Ever confirmed: true

I think 73.0b4 is out, which should have resolved this issue, by backing out the changes in bug 1405971. I am going to make sure the next try at implementing this doesn't cause this issue.

Fixed by backout.

Assignee: nobody → evilpies
Closed: 10 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla74

Verified fixed on Windows 10 64-bit, Ubuntu 18.04 LTS and macOS Catalina 10.15 on FF 73.0b5 (20200115020958) and FF 74.0a1 (20200114214307). The Origin header in a request made used an extension shows values according to the template: "moz-extension://extensionuuid".

You need to log in before you can comment on or make changes to this bug.