Closed Bug 1722703 Opened 3 years ago Closed 3 years ago

XHR from background page is marked as Sec-Fetch-Site: cross-site

Categories

(WebExtensions :: General, defect, P1)

Product:
WebExtensions
Component:
General
Type:
defect

Tracking

(firefox-esr78 unaffected, firefox-esr9192+ fixed, firefox90 wontfix, firefox91+ wontfix, firefox92+ fixed)

Status:
RESOLVED FIXED
Milestone:
92 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- unaffected
firefox-esr91 92+ fixed
firefox90 --- wontfix
firefox91 + wontfix
firefox92 + fixed

People

(Reporter: evilpie, Assigned: n.goeggi)

References

(Regression)

Details

(Keywords: regression)

Attachments

(1 file)

Bug 1722703: Consider requests from extension with access to the requested site as Sec-Fetch-Site: 'same-origin'. r=ckerschb,robwu
48 bytes, text/x-phabricator-request
jcristau
: approval-mozilla-esr91+
Details | Review

Since the Sec-Fetch-* headers are shipping in Firefox 90, XHR requests from the background page get the following headers:

Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site

This causes for example Google News to deny the request: https://github.com/nt1m/livemarks/issues/363.

I could imagine that similar to "system" requests, webextension request shouldn't be cross-site.

Set release status flags based on info from the regressing bug 1695911

status-firefox90: --- → affected
status-firefox91: --- → affected
status-firefox92: --- → affected
status-firefox-esr78: --- → unaffected
See Also: → 1722044

See https://w3c.github.io/webappsec-fetch-metadata/#extension-initiated. If the extension is granted access to that site, it should have same-origin as value, but otherwise it should be cross-origin.

Assignee: nobody → ngogge
Status: NEW → ASSIGNED

[Tracking Requested - why for this release]: Unexpected breakage in a new config we're shipping.

Severity: -- → S2
tracking-firefox-esr91: --- → ?
Priority: -- → P1

Should we consider unshipping the new headers in 91, or would that be worse than this bug?

(In reply to Julien Cristau [:jcristau] from comment #5)

Should we consider unshipping the new headers in 91, or would that be worse than this bug?

I suggest to keep the feature, and uplift the fix to ESR91 once it lands.
Affected users can manually flip the pref.

Attachment #9234394 - Attachment description: WIP: Bug 1722703: Consider requests from extension with access to the requested site as Sec-Fetch-Site: 'same-origin'. r=ckerschb → Bug 1722703: Consider requests from extension with access to the requested site as Sec-Fetch-Site: 'same-origin'. r=ckerschb,robwu
Pushed by mozilla@christophkerschbaumer.com:
https://hg.mozilla.org/integration/autoland/rev/04ebee77f0ad
Consider requests from extension with access to the requested site as Sec-Fetch-Site: 'same-origin'. r=ckerschb,robwu

Backed out for causing clang build bustages.

Backout link: https://hg.mozilla.org/integration/autoland/rev/313b0ffc55b6a05a211c2de315f8a94955bfd476

Push with failures

Failure log

Flags: needinfo?(ngogge)
 #include "mozilla/StaticPrefs_dom.h"
+#include "mozilla/BasePrincipal.h"

Should those be alphabetical?

I put the includes in order now but the actual issue was using BasePrincipal instead of mozilla::BasePrincipal.

Flags: needinfo?(ngogge)
Pushed by mozilla@christophkerschbaumer.com:
https://hg.mozilla.org/integration/autoland/rev/f585c3e73564
Consider requests from extension with access to the requested site as Sec-Fetch-Site: 'same-origin'. r=ckerschb,robwu

https://hg.mozilla.org/mozilla-central/rev/f585c3e73564

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox92: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 92 Branch

Please nominate this for ESR91 approval when you get a chance.

Flags: needinfo?(ngogge)

Comment on attachment 9234394 [details]
Bug 1722703: Consider requests from extension with access to the requested site as Sec-Fetch-Site: 'same-origin'. r=ckerschb,robwu

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: Sec-Fetch-* Security headers is a new security feature we started to ship in Firefox 90 (see Bug 1695911).
  • User impact if declined: Web Extensions with access to the requested site send the wrong sec-fetch-* security header.
  • Fix Landed on Version:
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Not risky, it's only a small tweak which causes web extensions to send a different security header (covered by automated tests).
  • String or UUID changes made by this patch: no
Attachment #9234394 - Flags: approval-mozilla-esr91?
Flags: needinfo?(ngogge)

Comment on attachment 9234394 [details]
Bug 1722703: Consider requests from extension with access to the requested site as Sec-Fetch-Site: 'same-origin'. r=ckerschb,robwu

approved for 91.1esr

Attachment #9234394 - Flags: approval-mozilla-esr91? → approval-mozilla-esr91+
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: