1680066 - HTTP Auth tab-modal prompt is not shown for extension sidebar

Status: RESOLVED FIXED

(Toolkit Graveyard :: Notifications and Alerts, defect, P3)

Description

[max]

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:83.0) Gecko/20100101 Firefox/83.0

Steps to reproduce:

It seems that implementation of tab-modal password prompt
for WWW-Authenticate Basic requests broke extensions that fetch
data from sidebar if backend server uses this type of authentication.
It looks like changes made for Bug #613785 caused regression.
Password prompt is shown only if behaviour is changed to old
window-modal mode through the related setting.

• prompts.modalType.httpAuth=2 (MODAL_TYPE_TAB, current default)
• extension that performs request requiring HTTP Basic auth
  from its sidebar panel

panel.js:
fetch("http://127.0.0.1:8000/", {credentials: "include"});

panel.html:
<html>
<body>sidebar</body>
<script src="panel.js"></script>
</html>

manifest.json
{
"manifest_version": 2,
"name": "example-httpauth",
"version": "0.1",
"permissions": [ "http://127.0.0.1/*" ],
"sidebar_action": {
"default_title": "HTTP Auth",
"default_panel": "panel.html"
}
}

test server
#!/usr/bin/env python3
from http.server import HTTPServer, BaseHTTPRequestHandler

class Handler(BaseHTTPRequestHandler):
def do_GET(self):
if (self.headers.get('Authorization')):
self.send_response(200, 'OK')
self.end_headers()
self.wfile.write(b'<html><body><h1>OK</h1></body></html>')
else:
self.send_response(401, 'Not Authorized')
self.send_header('WWW-Authenticate', 'Basic')
self.end_headers()
self.wfile.write(b'<html><body><h1>Not Authorized</h1></body></html>')

def run(server_class=HTTPServer, handler_class=Handler):
server_address = ('127.0.0.1', 8000)
httpd = server_class(server_address, handler_class)
httpd.serve_forever()

if name == 'main':
run()

• load extension, open sidebar, switch to the extension panel

Actual results:

Nothing

Expected results:

Password prompt appears.

Workaround: set prompts.modalType.httpAuth=3

Originally I noticed the problem with the webscrapbook extension.
There was wonderful XUL addons to save HTML pages.
Currently such kind of extensions have to use backend,
but developer's resources are limited and only HTTP Basic Auth
is currently implemented for the server part.
I agree that HTTP Authentication is not the best variant,
but better option is not implemented yet for the particular
extension. Moreover, e.g. identity.launchWebAuthFlow
is not available on Android.

Please, fix password prompt for default preferences when
a request requiring authentication is issued by extension
sidebar page.

Comment 1

[Raluca Popovici, Desktop QA]

I will move this bug over to a component so developers can take a look at it. If this is not the correct component please feel free to change it to an appropriate one.

Comment 2

[Alex Cornestean]

Hello!

I am Alex from QA and I am trying to confirm the validity of this bug.

Unfortunately I am not sure how to set up the prerequisites for the test server and I will need detailed instructions for every step if possible.

Thank you !

Comment 3

[max]

You could use any web server to configure HTTP authorization: Apache, Nginx, etc. Alternatively you could write a short script accordingly to you preferences in respect to programming language and framework, e.g. vanilla Node.JS, Werkzeug for python, etc. Just send 401 Not Authorized response with WWW-Authenticate: Basic header.

The script that relies on python standard library (unfortunately formatting was corrupted, I was not aware of MarkDown support in Bugzilla)

#!/usr/bin/env python3
"""Test HTTP server to demonstrate firefox bug with password prompt
for request from extension sidebar panel
https://bugzilla.mozilla.org/show_bug.cgi?id=1680066
"""
from http.server import HTTPServer, BaseHTTPRequestHandler


class Handler(BaseHTTPRequestHandler):
    def do_GET(self):
        if (self.headers.get('Authorization')):
            self.send_response(200, 'OK')
            self.end_headers()
            self.wfile.write(b'<html><body><h1>OK</h1></body></html>\n')
        else:
            self.send_response(401, 'Not Authorized')
            self.send_header('WWW-Authenticate', 'Basic')
            self.end_headers()
            self.wfile.write(b'<html><body><h1>Not Authorized</h1></body></html>\n')


def run(server_class=HTTPServer, handler_class=Handler):
    server_address = ('127.0.0.1', 8000)
    httpd = server_class(server_address, handler_class)
    httpd.serve_forever()


if __name__ == '__main__':
    run()

A test that server works as expected

python3 http_server_auth.py

curl -D - http://127.0.0.1:8000/
HTTP/1.0 401 Not Authorized
Server: BaseHTTP/0.6 Python/3.6.9
Date: Tue, 08 Dec 2020 11:31:16 GMT
WWW-Authenticate: Basic

<html><body><h1>Not Authorized</h1></body></html>

curl -u test:test -D - http://127.0.0.1:8000/
HTTP/1.0 200 OK
Server: BaseHTTP/0.6 Python/3.6.9
Date: Tue, 08 Dec 2020 11:31:33 GMT

<html><body><h1>OK</h1></body></html>

Comment 4

[max]

Alex, you should have some facility that allows to test HTTP Basic Auth prompts in firefox. Just use its address in panel.js in fetch() request. Such way should be even easier than running own server even as a script from my comments.

Comment 5

[Alex Cornestean]

Hello max,

Thank you for the info you provided so quickly! With the formatted script you provided I managed to set up the server.

As such, I’ve managed to reproduce the issue on the latest Nightly (85.0a1/20201208213457), Beta (84.0/20201207203640) and Release (83.0/20201112153044) under Windows 10 Pro 64-bit and Ubuntu 16.04 LTS.

With prompts.modalType.httpAuth = 2 opening the extension sidebar will not display any password prompt. Changing the pref to 3 and closing/opening the sidebar will result in the prompt being displayed.

Comment 6

[:Gijs (he/him)]

Uh, Paul, did someone flag this bug up to you? Looks like something we should try to address...

Comment 7

[Paul Zühlcke [:pbz]]

Thanks for bringing this to my attention!
The issue is that we don't get a TabDialogBox for the prompt call here: https://searchfox.org/mozilla-central/rev/df23c6e58c6be1eb8399e475878f73d4867bef87/browser/actors/PromptParent.jsm#305
I didn't expect the webextension panel window to have a gBrowser at all, but it seems we have a stub here: https://searchfox.org/mozilla-central/rev/df23c6e58c6be1eb8399e475878f73d4867bef87/browser/base/content/webext-panels.js#126-142
In theory the old TabModalPrompt should work with web extension panels. Though, if I set prompts.tabChromePromptSubDialog=false it shows some broken prompt UI in the panel.

We could fix this Bug for now by showing window prompts for extension panels. The TabDialogBox does not support panels.
Gijs, do you think that's a sensible fix or do we want to integrate with any of the in-chrome dialog boxes?

Comment 8

[:Gijs (he/him)]

(In reply to Paul Zühlcke [:pbz] from comment #7)

Thanks for bringing this to my attention!
The issue is that we don't get a TabDialogBox for the prompt call here: https://searchfox.org/mozilla-central/rev/df23c6e58c6be1eb8399e475878f73d4867bef87/browser/actors/PromptParent.jsm#305
I didn't expect the webextension panel window to have a gBrowser at all, but it seems we have a stub here: https://searchfox.org/mozilla-central/rev/df23c6e58c6be1eb8399e475878f73d4867bef87/browser/base/content/webext-panels.js#126-142
In theory the old TabModalPrompt should work with web extension panels. Though, if I set prompts.tabChromePromptSubDialog=false it shows some broken prompt UI in the panel.

We could fix this Bug for now by showing window prompts for extension panels. The TabDialogBox does not support panels.
Gijs, do you think that's a sensible fix or do we want to integrate with any of the in-chrome dialog boxes?

I think a window prompt is OK for now. The webextension team might want to implement a tabdialogbox for the webextension panel/sidebar in future?

Comment 9

[Paul Zühlcke [:pbz]]

Attachment: Bug 1680066 - Fall back to window prompts for webextension sidebar. r=gijs!

Comment 10

[Pulsebot]

Pushed by pzuhlcke@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/89c0c4d8d57c
Fall back to window prompts for webextension sidebar. r=Gijs

Comment 11

[Atila Butkovits]

https://hg.mozilla.org/mozilla-central/rev/89c0c4d8d57c