XHR from background page is marked as Sec-Fetch-Site: cross-site
Categories
(WebExtensions :: General, defect, P1)
Tracking
(firefox-esr78 unaffected, firefox-esr9192+ fixed, firefox90 wontfix, firefox91+ wontfix, firefox92+ fixed)
People
(Reporter: evilpie, Assigned: n.goeggi)
References
(Regression)
Details
(Keywords: regression)
Attachments
(1 file)
48 bytes,
text/x-phabricator-request
|
jcristau
:
approval-mozilla-esr91+
|
Details | Review |
Since the Sec-Fetch-* headers are shipping in Firefox 90, XHR requests from the background page get the following headers:
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
This causes for example Google News to deny the request: https://github.com/nt1m/livemarks/issues/363.
I could imagine that similar to "system" requests, webextension request shouldn't be cross-site
.
Updated•3 years ago
|
Comment 1•3 years ago
|
||
Set release status flags based on info from the regressing bug 1695911
Comment 3•3 years ago
|
||
See https://w3c.github.io/webappsec-fetch-metadata/#extension-initiated. If the extension is granted access to that site, it should have same-origin as value, but otherwise it should be cross-origin.
Comment 4•3 years ago
•
|
||
[Tracking Requested - why for this release]: Unexpected breakage in a new config we're shipping.
Updated•3 years ago
|
Comment 5•3 years ago
|
||
Should we consider unshipping the new headers in 91, or would that be worse than this bug?
Comment 7•3 years ago
|
||
(In reply to Julien Cristau [:jcristau] from comment #5)
Should we consider unshipping the new headers in 91, or would that be worse than this bug?
I suggest to keep the feature, and uplift the fix to ESR91 once it lands.
Affected users can manually flip the pref.
Updated•3 years ago
|
Updated•3 years ago
|
Pushed by mozilla@christophkerschbaumer.com: https://hg.mozilla.org/integration/autoland/rev/04ebee77f0ad Consider requests from extension with access to the requested site as Sec-Fetch-Site: 'same-origin'. r=ckerschb,robwu
Comment 9•3 years ago
|
||
Backed out for causing clang build bustages.
Backout link: https://hg.mozilla.org/integration/autoland/rev/313b0ffc55b6a05a211c2de315f8a94955bfd476
Comment 10•3 years ago
|
||
#include "mozilla/StaticPrefs_dom.h"
+#include "mozilla/BasePrincipal.h"
Should those be alphabetical?
Assignee | ||
Comment 11•3 years ago
|
||
I put the includes in order now but the actual issue was using BasePrincipal
instead of mozilla::BasePrincipal
.
Comment 12•3 years ago
|
||
Pushed by mozilla@christophkerschbaumer.com: https://hg.mozilla.org/integration/autoland/rev/f585c3e73564 Consider requests from extension with access to the requested site as Sec-Fetch-Site: 'same-origin'. r=ckerschb,robwu
Comment 13•3 years ago
|
||
bugherder |
Comment 14•3 years ago
|
||
Please nominate this for ESR91 approval when you get a chance.
Comment 15•3 years ago
|
||
Comment on attachment 9234394 [details]
Bug 1722703: Consider requests from extension with access to the requested site as Sec-Fetch-Site: 'same-origin'. r=ckerschb,robwu
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: Sec-Fetch-* Security headers is a new security feature we started to ship in Firefox 90 (see Bug 1695911).
- User impact if declined: Web Extensions with access to the requested site send the wrong sec-fetch-* security header.
- Fix Landed on Version:
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Not risky, it's only a small tweak which causes web extensions to send a different security header (covered by automated tests).
- String or UUID changes made by this patch: no
Updated•3 years ago
|
Comment 16•3 years ago
|
||
Comment on attachment 9234394 [details]
Bug 1722703: Consider requests from extension with access to the requested site as Sec-Fetch-Site: 'same-origin'. r=ckerschb,robwu
approved for 91.1esr
Comment 17•3 years ago
|
||
bugherder uplift |
Updated•3 years ago
|
Description
•