network.cookie.sameSite.laxByDefault breaks my add-on
Categories
(WebExtensions :: Untriaged, defect, P2)
Tracking
(firefox75 disabled, firefox76 disabled, firefox77 fixed)
People
(Reporter: kernp25, Assigned: baku)
References
Details
(Keywords: dev-doc-complete)
Attachments
(6 files)
firefox_nHZs1FCEwa.png
AR:
network.cookie.sameSite.laxByDefault set to true will break my add-on.
ER:
network.cookie.sameSite.laxByDefault set to true should not affect my WebExtension.
It shows this message in add-on console:
Cookie “AS” has “sameSite” policy set to “lax” because it is missing a “sameSite” attribute, and “sameSite=lax” is the default value for this attribute.
I tried this in my add-on:
if (name == "set-cookie") {
let splits = responseHeaders[i].value.split("\n");
for (let j = 0; j < splits.length; j++) {
if (splits[j].startsWith("AS=")) {
splits[j] = splits[j].replace("secure;", "SameSite=None; Secure;");
break;
}
}
responseHeaders[i].value = splits.join("\n");
The message will not show anymore in add-on console but it doesn't work either.
It will redirect back to https://login.yahoo.com/ after entering the password.
I also found this bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1626696
ER:
I should also not need to make any changes to the Set-Cookie header in order to get this working. It should just work for a WebExtension.
Requests made from WebExtensions should be ignored.
|
||
Updated•4 years ago
|
|
Assignee | |
Comment 2•4 years ago
|
||
Can you tell me the name of your addon? And can you describe why lax-by-default impacts your addon? Does it use cookies somehow (directly or indirectly)?
The best would be to have a test addon, if you have time to provide it. Thanks.
(In reply to Andrea Marchesini [:baku] from comment #2)
Can you tell me the name of your addon?
https://addons.mozilla.org/firefox/addon/yahoo-mail-notifier-we/
|
||
Comment 7•4 years ago
|
||
The issue here is basically that the reporter expects a website to work normally when embedded in an extension. Due to SameSite cookies, this is no longer the case.
To reproduce, open any moz-extension:-document and load a http(s):-iframe in it.
This is a specific instance of the more broader question on what we consider to be first-party. Here are other related bugs:
- bug 1595652 We allowed extensions to embed http(s) frames despite the website's
X-Frame-Optionsheader. - bug 1625599 Tracking protection - we are considering to lift tracking protection (i.e. cookie restrictions) for "requests from extensions".
- bug 1629436 (this bug) - should we treat http(s)-requests from extension pages as same-site requests?
Extension pages are extensions of the browser, so if all ancestor browsing contexts of a http(s):-frame have the moz-extension:-principal, then I believe that it would be reasonable to treat the http(s)-navigation request to be same-site.
:baku Has there been any prior discussions on this topic? What is your opinion on the desired behavior?
|
|
Assignee | |
Updated•4 years ago
|
|
|
Assignee | |
Comment 8•4 years ago
|
||
|
||
Updated•4 years ago
|
|
|
Assignee | |
Comment 9•4 years ago
|
||
Depends on D73027
|
||
Comment 10•4 years ago
|
||
The priority flag is not set for this bug.
:mixedpuppy, could you have a look please?
For more information, please visit auto_nag documentation.
|
|
Assignee | |
Comment 11•4 years ago
|
||
I think this is P2. We already have a fix in review. mixedpuppy do you agree?
|
|
||
Comment 12•4 years ago
|
||
That's fine. We often use P1 or P2 when there are patches already.
|
||
Comment 13•4 years ago
|
||
Changing status with the mention that this was reproduced on latest FF updates (75.0 - 20200403170909, 76.0 -20200427162639 and 77.0a1 - 20200430082621) on Windows PRO 64-bit and macOS 10.15.4 Catalina.
|
||
Comment 14•4 years ago
|
||
Pushed by amarchesini@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/d14b4bb75db7 requests with webExtension loading principal are not 3rd party, r=ckerschb,robwu,necko-reviewers https://hg.mozilla.org/integration/autoland/rev/18d21d5f63dd requests with webExtension loading principal are not 3rd party - tests, r=robwu
|
||
Comment 15•4 years ago
|
||
Backed out 2 changesets (bug 1629436) for causing test_chrome_ext_trackingprotection.html failures
https://hg.mozilla.org/integration/autoland/rev/815b76e7c256237e5ca73a5d46bcbd6d5961ac3e
push that caused the backout: https://treeherder.mozilla.org/#/jobs?repo=autoland&revision=18d21d5f63ddfded78b05a45ff1fc64db49bf803&test_paths=est_chrome_ext_trackingprotection.html
log: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=300422253&repo=autoland&lineNumber=110854
[task 2020-05-01T20:01:21.744Z] 20:01:21 INFO - TEST-PASS | toolkit/components/extensions/test/mochitest/test_chrome_ext_trackingprotection.html | fetch failure
[task 2020-05-01T20:01:21.744Z] 20:01:21 INFO - add_task | Leaving test
[task 2020-05-01T20:01:21.744Z] 20:01:21 INFO - add_task | Entering test
[task 2020-05-01T20:01:21.744Z] 20:01:21 INFO - Extension loaded
[task 2020-05-01T20:01:21.745Z] 20:01:21 INFO - Buffered messages finished
[task 2020-05-01T20:01:21.748Z] 20:01:21 INFO - TEST-UNEXPECTED-FAIL | toolkit/components/extensions/test/mochitest/test_chrome_ext_trackingprotection.html | fetch received
[task 2020-05-01T20:01:21.750Z] 20:01:21 INFO - SimpleTest.ok@chrome://mochikit/content/tests/SimpleTest/SimpleTest.js:299:16
[task 2020-05-01T20:01:21.751Z] 20:01:21 INFO - testHandler@chrome://mochikit/content/tests/SimpleTest/ExtensionTestUtils.js:72:18
[task 2020-05-01T20:01:21.752Z] 20:01:21 INFO - testResult@chrome://mochikit/content/tests/SimpleTest/ExtensionTestUtils.js:82:18
[task 2020-05-01T20:01:21.756Z] 20:01:21 INFO - listener@resource://specialpowers/SpecialPowersChild.jsm:2075:33
[task 2020-05-01T20:01:21.757Z] 20:01:21 INFO - loadExtension/<@resource://specialpowers/SpecialPowersChild.jsm:2017:21
[task 2020-05-01T20:01:21.759Z] 20:01:21 INFO - receiveMessage@resource://specialpowers/SpecialPowersChild.jsm:238:21
[task 2020-05-01T20:01:21.760Z] 20:01:21 INFO - JSActor queryresultListener@resource://specialpowers/SpecialPowersParent.jsm:982:16
[task 2020-05-01T20:01:21.761Z] 20:01:21 INFO - emit@resource://gre/modules/ExtensionCommon.jsm:327:32
[task 2020-05-01T20:01:21.762Z] 20:01:21 INFO - receiveMessage@resource://gre/modules/Extension.jsm:1963:20
[task 2020-05-01T20:01:21.763Z] 20:01:21 INFO - MessageListener.receiveMessageExtension@resource://gre/modules/Extension.jsm:1783:19
[task 2020-05-01T20:01:21.764Z] 20:01:21 INFO - generate@resource://testing-common/ExtensionTestCommon.jsm:458:12
[task 2020-05-01T20:01:21.765Z] 20:01:21 INFO - receiveMessage@resource://specialpowers/SpecialPowersParent.jsm:979:45
[task 2020-05-01T20:01:21.777Z] 20:01:21 INFO - JSActor query*loadExtension@resource://specialpowers/SpecialPowersChild.jsm:2067:10
[task 2020-05-01T20:01:21.780Z] 20:01:21 INFO - ExtensionTestUtils.loadExtension@chrome://mochikit/content/tests/SimpleTest/ExtensionTestUtils.js:113:33
[task 2020-05-01T20:01:21.781Z] 20:01:21 INFO - test_permission@chrome://mochitests/content/chrome/toolkit/components/extensions/test/mochitest/test_chrome_ext_trackingprotection.html:28:38
|
|
||
Comment 16•4 years ago
|
||
This part of the test fails: https://searchfox.org/mozilla-central/rev/710d6e1015d03343b067b92e6f1f775a0b1cad6f/toolkit/components/extensions/test/mochitest/test_chrome_ext_trackingprotection.html#52
The test needs to be updated to move that check down, because as of your patch, requests from extensions are considered to be first-party if the extension has the right permission. Consider this comment to be r+ for making the change that I described.
So change from
add_task(async function() { await test_permission(["<all_urls>"], true); });
// Fetch will not be blocked with explicit permissions
to
// Fetch will not be blocked if the extension has host permissions.
add_task(async function() { await test_permission(["<all_urls>"], true); });
|
|
Assignee | |
Updated•4 years ago
|
|
|
||
Comment 18•4 years ago
|
||
Pushed by amarchesini@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/fbab79f74310 requests with webExtension loading principal are not 3rd party, r=ckerschb,robwu,necko-reviewers https://hg.mozilla.org/integration/autoland/rev/f2dee04f06fa requests with webExtension loading principal are not 3rd party - tests, r=robwu
|
||
Comment 19•4 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/fbab79f74310
https://hg.mozilla.org/mozilla-central/rev/f2dee04f06fa
|
||
Updated•4 years ago
|
|
||
Comment 20•4 years ago
|
||
Thank you for fixing this problem. We should document the new behavior (I think I've seen the old behavior documented in some places?) and I think this would also be a good candidate for the about:addons newsletter.
|
||
Comment 21•4 years ago
|
||
Please could I get some advice on what documentation might need changing.
|
|
||
Comment 22•4 years ago
|
||
I think for example https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/permissions#Host_permissions:
bypass tracking protection if the host is a full domain without wildcards. Doesn't work with <all_urls>.
I think the last sentence just doesn't apply anymore I think. Overall I am probably not the best person to help here, because I actually haven't read most of the documentation on MDN.
|
|
||
Updated•4 years ago
|
|
|
||
Comment 23•4 years ago
|
||
Documentation updates completed on host permissions and release notes.
Description
•