COEP/CORP image load fails on reload
Categories
(Core :: Networking: Cache, defect, P1)
Tracking
()
People
(Reporter: hanno, Assigned: valentin)
Details
(Whiteboard: [necko-triaged], [wptsync upstream])
Attachments
(3 files)
304.55 KB,
video/x-matroska
|
Details | |
48 bytes,
text/x-phabricator-request
|
pascalc
:
approval-mozilla-esr91+
|
Details | Review |
48 bytes,
text/x-phabricator-request
|
pascalc
:
approval-mozilla-esr91+
|
Details | Review |
I discovered an odd behavior in combination with the Cross-Origin-Embedder-Policy / Cross-Origin-Resource-Policy headers.
I have a testcase setup at
https://d.q2.re/
(I will try to leave that online for the time this bug is analyzed)
The host sends "Cross-Origin-Embedder-Policy: require-corp", which would mean it can only load external images from other hosts if they explicitly allow this via CORP.
The first image does not send any special headers, so as expected the load is blocked. The second image sends "Cross-Origin-Resource-Policy: cross-origin", so the image load should work.
It does work when one accesses the page initially. However after a click on reload the image disappears. I have recorded this in a video which I will attach.
My guess is that the CORP property of the image is somehow not preserved when the image is loaded from cache (as you can see in the network tab the image request gets a 304 not modified and the image should be fetched from the cache).
Comment 1•3 years ago
|
||
When reloading we serve headers from our cache and the cache does not seem to store the CORP header (at least it doesn't send them). Confirmed when inspecting headers in devtools network tab.
Comment 2•3 years ago
|
||
Thanks Hanno!
Valentin, is this something you can tackle?
Comment 3•3 years ago
|
||
Uh, this needs a priority bump. It's preventing people from shipping cross-origin isolation features.
We can't tell people to use security features to protect against real attacks, when they are dysfunctional :/
Valentin? Jens?
Assignee | ||
Comment 4•3 years ago
|
||
Thanks for the poke. Sorry I missed the ni for so long.
I assume the issue is somehow caused by the cached resource missing the CORP header.
From what I can tell the 304 resource doesn't even have a contentType (judging by what I see in the video)
Assignee | ||
Comment 5•3 years ago
|
||
Hanno, the test case in comment 0 doesn't work anymore.
Do you still have it available?
Assignee | ||
Comment 6•3 years ago
|
||
Reporter | ||
Comment 7•3 years ago
|
||
I have restored the testcase, it should work again. Can also confirm that the same behavior shows up in firefox 92.
Updated•3 years ago
|
Assignee | ||
Comment 8•3 years ago
|
||
Previously we called ProcessCrossOriginEmbedderPolicy
in
nsHttpChannel::ContinueProcessResponse1
, but we only loaded the cached
response headers in ContinueProcessResponse3
, meaning that we incorrectly
reported a missing header for the revalidated resource.
This change moves the header checking calls to ContinueProcessNormal
and
ContinueProcessRedirection
instead, so they get executed after processing
the cached headers.
Depends on D125129
Pushed by valentin.gosu@gmail.com: https://hg.mozilla.org/integration/autoland/rev/218ce41d771c Add WPT for COEP/CORP image reloading r=annevk https://hg.mozilla.org/integration/autoland/rev/c1e0fff3e513 Call ProcessCrossOrigin*Header methods after loading cached headers r=necko-reviewers,dragana
Comment 10•3 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/218ce41d771c
https://hg.mozilla.org/mozilla-central/rev/c1e0fff3e513
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/30881 for changes under testing/web-platform/tests
Upstream PR merged by moz-wptsync-bot
Comment 13•2 years ago
•
|
||
Apparently this fixed regressions in the ESR. See bug 1749009.
Can this be easily uplifted to the ESR?
Assignee | ||
Comment 14•2 years ago
|
||
Comment on attachment 9240513 [details]
Bug 1699373 - Call ProcessCrossOrigin*Header methods after loading cached headers r=#necko
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: Fixes issue from bug 1749009:
recaptcha doesn't work any more with firefox 91 esr via sso squid proxy
- User impact if declined: Some pages will not work properly on ESR
- Fix Landed on Version: 94
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): The fix has been on release channel for a couple releases with no regressions.
Assignee | ||
Updated•2 years ago
|
Updated•2 years ago
|
Comment 15•2 years ago
|
||
bugherder uplift |
https://hg.mozilla.org/releases/mozilla-esr91/rev/6f296ebeda37
https://hg.mozilla.org/releases/mozilla-esr91/rev/0cb2ab8a5857
Comment 16•2 years ago
|
||
Comment on attachment 9240513 [details]
Bug 1699373 - Call ProcessCrossOrigin*Header methods after loading cached headers r=#necko
Approved for ESR
Updated•2 years ago
|
Updated•2 years ago
|
Description
•