Closed Bug 1646727 Opened 4 years ago Closed 4 years ago

Cannot load source maps with samesite=lax authentication cookie

Categories

(Core :: Networking: Cookies, defect, P2)

Product:
Core
Component:
Networking: Cookies
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1626335

People

(Reporter: ehoogeveen, Unassigned)

References

(Regression)

Details

(Keywords: regression, Whiteboard: [necko-triaged])

For a while now I've been unable to view source maps on our website using Firefox.

We use HCL's Domino server, which produces session authentication cookies without a SameSite attribute (there's an outstanding request for this [1]). We use source maps for development purposes, which means they're only available if you're logged in with the appropriate access rights. The source maps are on the same domain as both the website itself and the script that they provide a mapping for.

Since bug 1620179 landed, Firefox appears to not send this session cookie when attempting to retrieve the source maps for minified files, and so the server responds with our login page. The minified file itself loads fine, it's just the source map that fails.

I can work around this by adding our domain to network.cookie.sameSite.laxByDefault.disabledHosts or by manually setting the cookie to samesite=none, but this seems like a bug in Firefox to me: The source map is in the same folder as the minified file it's mapping, so samesite=lax should have no effect. Chrome also does not have this problem (but I don't know their position on samesite=lax).

[1] https://domino-ideas.hcltechsw.com/ideas/DDXP-I-550

Honza, can you please have a look?

Severity: -- → S3
Flags: needinfo?(honzab.moz)
Priority: -- → P2
Whiteboard: [necko-triaged]

Honza, how exactly are devtools loading source maps? What is the principal?

Baku, could this be caused by not using loading principal of the page but likely the system or null to load source maps by devtools?

Flags: needinfo?(odvarko)
Flags: needinfo?(honzab.moz)
Flags: needinfo?(amarchesini)

For a while now I've been unable to view source maps on our website using Firefox.

I have a couple of questions:

  1. Can you provide an example/demo/test?
  2. Have you tried to enable the sameSite=lax-by-default flag in chrome to see if there is a difference in the firefox behavior?

Thank you.

Flags: needinfo?(amarchesini) → needinfo?(emanuel.hoogeveen)

(In reply to Honza Bambas (:mayhemer) from comment #2)

Honza, how exactly are devtools loading source maps? What is the principal?

Logan, can you please chime in, thanks!

Honza

Flags: needinfo?(odvarko) → needinfo?(loganfsmyth)

Currently the Debugger frontend has a Worker that handles all sourcemap processing, and we fetch the sourcemap using https://searchfox.org/mozilla-central/rev/d6d8fcc22c3820f2ae08229e0d37be19fba74db9/devtools/client/debugger/packages/devtools-utils/src/privileged-network-request.js from inside the Worker. I don't know what principal the Worker runs with, but AFAIK the UI logic that starts the worker runs with the system principal: https://searchfox.org/mozilla-central/rev/d6d8fcc22c3820f2ae08229e0d37be19fba74db9/devtools/shared/base-loader.js#118

Flags: needinfo?(loganfsmyth)

Sorry about the terrible delay here (things have been crazy at work), but it looks like this was fixed in bug 1626335 in the meantime!

Status: NEW → RESOLVED
Closed: 4 years ago
Flags: needinfo?(emanuel.hoogeveen)
Resolution: --- → DUPLICATE
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.