Add assertion to make sure referrer header matches the computed spec in referrerInfo
Categories
(Core :: DOM: Security, enhancement, P2)
Tracking
()
Tracking | Status | |
---|---|---|
firefox83 | --- | affected |
People
(Reporter: tnguyen, Assigned: julianwels)
Details
(Whiteboard: [domsecurity-active])
Attachments
(1 file, 1 obsolete file)
Reporter | ||
Comment 1•5 years ago
|
||
Updated•5 years ago
|
Updated•5 years ago
|
Reporter | ||
Comment 2•5 years ago
|
||
Comment 3•5 years ago
|
||
Basti, may I ask you to drive this one over the finishing line please?
Comment 4•5 years ago
|
||
(In reply to Christoph Kerschbaumer [:ckerschb] from comment #3)
Basti, may I ask you to drive this one over the finishing line please?
302 to Julian - can you take a look at this one please?
Comment 6•5 years ago
|
||
Because this bug has no description and no tests, I had to go back again to a conversation to find why this is being done. From a chat with ckerschb:
imagine a page sets a referrer-policy of 'no-referrer'
but we accidentally use a codepath that sets a referrer
the assertion is to make sure we can not accidentally create a new instance of a channel (or even protocol) without us realizing we are accidentally leaking the referrer value
I imagine that some devtools thing allows you to create a channel and set a referrer and then we don't have a valid referrerinfo for that
I'd like to see a test (the above makes a test sound possible), or an explanation why one is not necessary (or not possible), or (less desirable) a solid STR for QA to manually test.
Assignee | ||
Comment 7•5 years ago
|
||
Thanks for digging up that message. Took me a while to understand what's going on but I think I got a clear picture now:
The first patch (D59314) adds debug assertions with MOZ_ASSERT
to check if the ReferrerInfo object and the referer-header match. This means as long as there is any test that (A) sets the referer header and (B) sends the request, an implicit test that the referer was set correctly is also made.
To double-check that this is actually the case I ran three tests affected by the patch, with and without the changes from D59856:
./mach test devtools/client/netmonitor/test/browser_net_resend_headers.js
(with) OK
(without) Assertion failure: referrerHeader.IsEmpty() (Referrer header should not be sent if there's no referrerInfo)
./mach test toolkit/components/extensions/test/xpcshell/test_ext_downloads_download.js
(with) OK
(without) Mozilla crash reason: MOZ_ASSERT(referrerHeader.IsEmpty()) (Referrer header should not be sent if there's no referrerInfo)
./mach test toolkit/components/extensions/test/xpcshell/test_ext_downloads_download.js
(with) OK
(without) Mozilla crash reason: MOZ_ASSERT(referrerHeader.IsEmpty()) (Referrer header should not be sent if there's no referrerInfo)
Comment 10•4 years ago
|
||
Backed out changeset b3fb1b5bbe34 (Bug 1608074) for causing bustages in XMLHttpRequestMainThread.cpp
Backout link: https://hg.mozilla.org/integration/autoland/rev/ba4e43d97863d39c19a7f261ba0d31bab88b64ee
Failure log: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=318475583&repo=autoland&lineNumber=12206
Assignee | ||
Comment 11•4 years ago
|
||
Nrgg, sorry. I forgot to upload local changes :(
Comment 12•4 years ago
|
||
It appears the other patch should also be backed out.
Comment 13•4 years ago
|
||
Assignee | ||
Comment 14•4 years ago
|
||
If this one fails again, but I'm rather certain that it won't, then it's better to back both out, that's right! :)
Comment 15•4 years ago
|
||
Backed out for assertion failure on nsContentSecurityUtils.cpp
Backout link: https://hg.mozilla.org/integration/autoland/rev/e9abc628d101add1d024a6d5c668834477f532a7
Log link: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=318482733&repo=autoland&lineNumber=2397
Comment 16•4 years ago
|
||
bugherder |
Assignee | ||
Comment 17•4 years ago
|
||
The assertion patch still has to land. Before that, we need to figure out why and where it gets triggered and fix that as well.
Updated•4 years ago
|
Updated•2 years ago
|
Updated•7 months ago
|
Description
•