Closed Bug 1648036 Opened 4 years ago Closed 4 years ago

`sourceURL` in abuse report has the wrong value when site uses client-side (javascript) navigation

Categories

(Toolkit :: Add-ons Manager, defect, P2)

Product:
Toolkit
Component:
Add-ons Manager
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla80
Tracking Flags:
Tracking Status
firefox-esr78 --- fixed
firefox80 --- fixed

People

(Reporter: willdurand, Assigned: willdurand)

Details

Attachments

(1 file)

Bug 1648036 - Use `window.location` to determine the `sourceURL`/`sourceHost` when installing an add-on. r=rpl
47 bytes, text/x-phabricator-request
RyanVM
: approval-mozilla-esr78+
Details | Review

STR

  1. It's probably best to try in a -dev env, so let's configure your FF profile for addons-dev.allizom.org. Create/update the following prefs:
  • extensions.webapi.testing set to true
  • xpinstall.signatures.dev-root set to true
  • extensions.abuseReport.amoDetailsURL set to https://services.addons-dev.allizom.org/api/v4/addons/addon/
  • extensions.abuseReport.url set to https://services.addons-dev.allizom.org/api/v4/abuse/report/addon/

  1. Go to: https://addons-dev.allizom.org/en-US/firefox/addon/search_by_image/?src=recommended_fallback

  2. Click on another extension on this page (for example in "Other popular extensions")

  3. Install this extension (not the "search by image" one)

  4. Open the Browser Toolbox > Network panel

  5. Report this extension using the button on AMO

  6. Observe the request being sent by AbuseReport in the network panel

What happened?

The source URL in the payload (addon_install_source_url) is:

https://addons-dev.allizom.org/en-US/firefox/addon/search_by_image/?src=recommended_fallback

Expected

The source URL in the payload (addon_install_source_url) is the URL of the current page on AMO, not the one pasted above.

Anything else?

This happens because once we load a page on AMO, all buttons/links use "client-side navigation" using a JavaScript router and probably the History API. We can see here that we use this.window.document.nodePrincipal.URI, which retains the URI of the very first page loaded. Its value isn't updated.

We probably need to rely on something like this.window.location instead.

The issue is probably present in InstallTrigger too.

Shane and Stuart, could we prioritize this?

Flags: needinfo?(mixedpuppy)

(In reply to Andreas Wagner [:TheOne] [use NI] from comment #1)

Shane and Stuart, could we prioritize this?

If I recall correctly, Will did also want to take this one and attach a patch. If Will can't work on a patch for this anymore, I'm ok to take it.

If I recall correctly, Will did also want to take this one and attach a patch.

That's correct.

I made changes to amWebAPI and amInstallTrigger but left
amContentHandler unchanged.

It's not clear to me how we are using this handler. Some existing test
cases expect sourceURL to be undefined so I am not sure we can
retrieve a URL from aRequest.URI for instance.

looks like this is moving forward.

Flags: needinfo?(mixedpuppy)

The severity field is not set for this bug.
:mixedpuppy, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(mixedpuppy)
Severity: -- → S2
Flags: needinfo?(mixedpuppy)
Priority: -- → P2
Pushed by btara@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/cec17cfddb34 Use `window.location` to determine the `sourceURL`/`sourceHost` when installing an add-on. r=rpl

https://hg.mozilla.org/mozilla-central/rev/cec17cfddb34

Status: NEW → RESOLVED
Closed: 4 years ago
status-firefox80: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla80

Comment on attachment 9162200 [details]
Bug 1648036 - Use window.location to determine the sourceURL/sourceHost when installing an add-on. r=rpl

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: Without this patch, the abuse reports submitted by the users would not always include the correct url of the website from where the extension installation has been triggered. This would likely prevent AMO admins to correctly handle abuse reports and/or make it harder to detect malicious activities.

Given that we only noticed the issue recently and that the ESR version stays around for a longer time, the AMO admins would like to make sure that we send the correct URL for as many abuse reports as possible, which is why an uplift to ESR would be helpful.

  • User impact if declined: Users who report abuse reports might not see any action taken by AMO admins because admins wouldn't have accurate data.
  • Fix Landed on Version: 80
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): This patch includes two small changes to the AddonManager internals to fix the value collected and stored in the addon db. Both changes are covered by tests.
  • String or UUID changes made by this patch:
Attachment #9162200 - Flags: approval-mozilla-esr78?

Comment on attachment 9162200 [details]
Bug 1648036 - Use window.location to determine the sourceURL/sourceHost when installing an add-on. r=rpl

Approved for 78.2esr. Thanks for the test coverage.

Attachment #9162200 - Flags: approval-mozilla-esr78? → approval-mozilla-esr78+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: