Closed Bug 1659578 Opened 4 years ago Closed 4 years ago

Ctrl-S from PDF Viewer/JSON viewer does not serve from cache, and it does not include SameSite=Strict cookies either (when privacy.partition.network_state=true)

Categories

(Core :: Privacy: Anti-Tracking, defect, P2)

78 Branch
defect

Tracking

()

RESOLVED DUPLICATE of bug 1641270

People

(Reporter: robwu, Assigned: timhuang)

References

(Regression)

Details

(Keywords: regression)

Attachments

(2 files)

1.80 KB, application/x-javascript
Details
1.32 KB, application/x-javascript
Details
Attached file server.js

Bug 1639154 initially caused a regression that prevented PDFs with SameSite-cookies from being saved.
Bug 1640405 attempted to fix this, and the patch claims to have a fix for SameSite=Lax/Strict. Unfortunately, unit tests were not included, and it turns out that this only fixed the SameSite=Lax case. SameSite=Strict is still affected. And I'm not sure whether the fix is the correct; I would expect the request to be served from the cache, not via a fresh HTTP request.

STR:

  1. Download and start the attached Node.js server.
  2. Visit http://localhost:16567/setcookies
  3. Click on the link to /testcook.pdf (this PDF is served with Cache-Control: no-store).
  4. Press Ctrl-S.

Expected:

  • The download is 505 bytes, consisting of the PDF.
  • The server should show only one request (the initial request). The Ctrl-S request should have been served from the cache.
  • Even if not served from the cache (which could be considered a separate bug), then the second request should show include the SameSite=Strict cookie.

Actual:

  • The download has 15 bytes ("Missing cookies")
  • The server's stdout log shows checkcookie= laxcook=lax

GOOD: Expected server log, before bug 1639154 (Firefox 77-)

/setcookies
checkcookie= laxcook=lax; strictcook=strict

BAD: Actual server log, after bug 1639154 but before bug 1640405 (Firefox 78 - 79):

/setcookies
checkcookie= laxcook=lax; strictcook=strict
checkcookie= undefined

BAD: Actual server log, after bug 1640405 until now (Firefox 79+):

/setcookies
checkcookie= laxcook=lax; strictcook=strict
checkcookie= laxcook=lax

So there are two issues to be fixed:

  • Ctrl-S does not serve PDFs from the cache.
  • Ctrl-S does not include sameSite=Strict cookies.
Summary: Ctrl-S from PDF viewer does not serve from cache, and it does not include SameSite=Strict cookies either → Ctrl-S from PDF viewer does not serve from cache, and it does not include SameSite=Strict cookies either (when privacy.partition.network_state=true)
Severity: -- → S2
Priority: -- → P2

I cannot reproduce this issue anymore. It seems this has been fixed somewhere. I ran a mozregression and figured out that this push fixes this issue. Unfortunately, there are too many bugs in this push, so I cannot tell which bug fixes this issue.

Rob, would you be able to verify if this is fixed? Thanks.

Status: NEW → RESOLVED
Closed: 4 years ago
Flags: needinfo?(rob)
Resolution: --- → FIXED
Status: RESOLVED → REOPENED
Resolution: FIXED → ---

From the regression range, bug 1659753 looks like the most likely cause of the behavioral change.
It's not a fix for the fundamental problem, but a side effect of the implementation change (i.e. saving the already-download data as stored in a blob:-URL instead of passing a http(s):-URL).

The PDF Viewer is implemented using a stream converted. I know that the JSON Viewer is also implemented using a stream converted, and managed to reproduce the original bug on release. Same STR as original report, except json instead of pdf. I'll attach the server for testing.

Depends on: 1659753
Flags: needinfo?(rob)
Summary: Ctrl-S from PDF viewer does not serve from cache, and it does not include SameSite=Strict cookies either (when privacy.partition.network_state=true) → Ctrl-S from PDF Viewer/JSON viewer does not serve from cache, and it does not include SameSite=Strict cookies either (when privacy.partition.network_state=true)
Attached file server-json.js

STR: Same as comment 0, except with "pdf" replaced by "json".

This issue is that the saving channel doesn't have the correct cookieJarSettings. So, it won't use the correct partitionKey when downloading the resource. The patches of Bug 1641270 can fix this issue.

I'll mark bug 1641270 as a dependency then, and assign this bug to you to keep track of it. If the other bug is fixed, then this one can probably be closed too (maybe even as a duplicate? maybe after QA verification?).

Assignee: nobody → tihuang
Depends on: 1641270

I can confirm that this issue has been fixed by Bug 1641270.

Status: REOPENED → RESOLVED
Has STR: --- → yes
Closed: 4 years ago4 years ago
Resolution: --- → DUPLICATE
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: