Open Bug 1699418 Opened 4 years ago Updated 9 months ago

When opening Developer tools, it sends a GET request to the same URL - but sometimes with no cookies

Categories

(DevTools :: Debugger, defect, P3)

Product:
DevTools
Component:
Debugger
Version:
Firefox 86
Type:
defect

Tracking

(Not tracked)

People

(Reporter: f.viscardi, Assigned: bomsy)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

Bug 1699418 - [devtools] Use the same headers as the original document r=#devtools
48 bytes, text/x-phabricator-request
Details | Review

User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0

Steps to reproduce:

  1. Visit one of my websites (with some php based logging serverside)
  2. Open the inspector (right click -> inspect)
  3. Log the request headers server-side and check for the "Cookie" header
  4. Repeat closing and opening the inspector - if the issue doesn't appear, reload the page or change to a different link (sometimes it fails every time, sometimes it fails every 20th time)

Actual results:

The Developer Tools are inconsistent regarding the "Cookie" HTTP Header:

  • Sometimes, the request sends the cookie headers
  • Sometimes, they do not

Expected results:

They should send the correct HTTP Cookie headers every time, to identify the correct session.

I've tested this with other browsers (chrome, safari), and they do not seem to have this issue. The problem here is that these calls are really inconsistent, and can cause some unexpected issues since the dev tools can open links to areas that are restricted to certain sessions. This can lead to false alerts about unauthorized access (since the URL is restricted, but the missing session implies the request is unauthorized).

I assume this isn't intended behavior?

Tests:

  • Safari (on Mac) - sends "Cookie" header normally
  • Chrome (on Mac, on Windows, on Linux) - sends "Cookie" header normally
  • Firefox (on Mac, on Windows) - sends "Cookie" header irregularly (sometimes it works every time until page reload)

The Bugbug bot thinks this bug should belong to the 'DevTools::Inspector' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.

Component: Untriaged → Inspector
Product: Firefox → DevTools

Thanks for the report!

(In reply to f.viscardi from comment #0)

  1. Visit one of my websites (with some php based logging serverside)

Can you please provide URL of a page I could load to reproduce the problem on my machine?

Honza

Flags: needinfo?(f.viscardi)
Component: Inspector → Netmonitor

Hi fviscardi,
Please would you be able to provide a url as requested by honza above?

Thanks

Sorry, I was a bit unspecific. What I meant with "my website" was just a specific php script to execute to check the cookies.

All you have to do, is check the headers / cookie header received by the Dev Tools request. Here is an example for what I mean in PHP:

<?php
session_start();

print_r( $_SERVER[ 'HTTP_COOKIE' ] ?? null );
?>

When visiting the page normally (by hand), the HTTP_COOKIE value is always correct, as expected. But somehow, Dev Tools makes a separate request and sometimes fails to give the proper HTTP_COOKIE headers. It's inconsistent, sometimes it sends them, sometimes it doesn't.

I can't deep dive right now, should be available for more details (if there's confusion) during the weekend, sorry!

Flags: needinfo?(f.viscardi)
Flags: needinfo?(odvarko)

(In reply to f.viscardi from comment #4)

Sorry, I was a bit unspecific. What I meant with "my website" was just a specific php script to execute to check the cookies.

All you have to do, is check the headers / cookie header received by the Dev Tools request. Here is an example for what I mean in PHP:

<?php
session_start();

print_r( $_SERVER[ 'HTTP_COOKIE' ] ?? null );
?>

I put this online here:
http://janodvarko.cz/tests/bugzilla/1699418/

I tried many times to execute a request against that PHP file, but I am always seeing a cookie.
@fviscardi, can you please try the test, can you reproduce the problem?

Flags: needinfo?(odvarko) → needinfo?(f.viscardi)

I was able to make a consistent reproduction.

Reproduction: https://bug1699418.vers.one
Source code: https://github.com/vers-one/Firefox-bug-1699418

Although I think this could be related to the bug 1161278 reported earlier.

Thank for the test case!

I am not sure if I follow the instructions properly. Here is what I am doing. Note that I have "Disable Cache" option checked in the Network panel.

  1. Load https://bug1699418.vers.one/
  2. Click "Set cookie and redirect"
  3. New page https://bug1699418.vers.one/log is loaded. There are 3 requests in the log (list of requests displayed on the page)
  4. Open DevTools, select the Debugger panel
  5. I am not seeing any sources, so reloading the page
  6. 4 requests in the log on the page
  7. Debugger panel shows "log" file, select it. Source of the file properly visible
  8. Every requets on the page has Cookie: mycookie=myvalue
  9. Close DevTools Toolbox and reload the page
  10. There is one more request, 5 in total on the page (GET https://bug1699418.vers.one/log). The new one also has Cookie: mycookie=myvalue

Notice that the debugger made a GET request to the log page with no cookies.

So, I guess I can't repro?
Also why do you think this is related to bug 1161278 (it might be, I just don't see what's the common issue between those two)

Thank you!

Flags: needinfo?(mozilla)

Hmm, it's strange that you weren't able to see any sources at the step 5. It's also strange that the debugger's request at the step 8 has the cookies in it. In my case all debugger's requests are being sent without any cookie headers.

I created a GIF with my reproduction. I'm running Firefox 100.0.2 with a new profile created right before this reproduction.

I think this could be related to bug 1161278 because comment 1 mentions that the debugger makes a GET request even if the page was loaded via POST. This makes sense because making a GET request is safer than a POST but this also means that the request the debugger is constructing to obtain sources is different from the original request. I just assumed that there could be other differences too, like not including the cookie headers.

Flags: needinfo?(mozilla) → needinfo?(odvarko)

Redirect a needinfo that is pending on an inactive user to the triage owner.
:Honza, since the bug has recent activity, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(f.viscardi) → needinfo?(odvarko)

Bomsy, are you able to reproduce this bug on your machine?

Flags: needinfo?(odvarko)
Flags: needinfo?(hmanilla)

Apologies, finally getting to this after a long while.

I seem to be able reproduce the issue. What i see is

  • When i refresh https://bug1699418.vers.one/log before opening devtools a new request (which has the cookie) is added to the list
  • When i open debugger and select the log file, and then refresh the page, two requests are added to the list. The first request does not have a cookie (which i think is the request made by the debugger) and the second request which has the cookie.

Thanks

Blocks: dbg-sources
Status: UNCONFIRMED → NEW
Component: Netmonitor → Debugger
Ever confirmed: true
Flags: needinfo?(hmanilla)
See Also: → 1161278

Bomsy, can you check why the Debugger's request is not picking up the page cookies?

Severity: -- → S3
Flags: needinfo?(hmanilla)
Priority: -- → P3
Flags: needinfo?(hmanilla)
Assignee: nobody → hmanilla
Attachment #9467091 - Attachment description: WIP: Bug 1699418 - [devtools] Use the same headers as the original document → Bug 1699418 - [devtools] Use the same headers as the original document r=#devtools
See Also: → 1965826
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: