Closed Bug 1728981 Opened 4 years ago Closed 3 years ago

WebSocket request is still being upgraded with permanent HTTPS only exception

Categories

(Core :: DOM: Security, defect, P3)

Product:
Core
Component:
DOM: Security
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
96 Branch
Tracking Flags:
Tracking Status
firefox96 --- fixed

People

(Reporter: evilpies, Assigned: evilpies)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-backlog])

Attachments

(1 file)

Bug 1728981 - Don't upgrade HTTP WebSocket requests of exempt principals. r?ckerschb
48 bytes, text/x-phabricator-request
Details | Review

I am running Home Assistant at homeassistant.local:8123. I haven't setup https for this, so I am disabling HTTPS-only mode for this. However WebSocket requests initiated by the zigbee2mqq dasboard are still being upgraded.

Putting a breakpoint in the nsHTTPSOnlyUtils::ShouldUpgradeWebSocket function, httpsOnlyStatus seems to be 17. I think that means HTTPS_ONLY_TOP_LEVEL_LOAD_IN_PROGRESS | HTTPS_ONLY_UNINITIALIZED ?

The WebSocket connection seems to be made from an iframe, opening the frame in its own tab makes it work correctly.

same-origin frame, I assume?

(In reply to Daniel Veditz [:dveditz] from comment #2)

same-origin frame, I assume?

Yes.

Hopefully we can get to this soon, but for now we probably don't have the people to make it "active" for a few weeks.

Priority: -- → P3
Whiteboard: [domsecurity-backlog]

I think what we need to do is add TestIfPrincipalIsExempt within nsHTTPSOnlyUtils::ShouldUpgradeWebSocket in case someone is going to pick that up.

Adding TestIfPrincipalIsExempt to nsHTTPSOnlyUtils::ShouldUpgradeWebSocket works a treat. Interestingly enough the function is now almost identical to nsHTTPSOnlyUtils::ShouldUpgradeRequest, the only thing that is different the last few lines.

  // If the status was not determined before, we now indicate that the request
  // will get upgraded, but no event-listener has been registered yet.
  if (httpsOnlyStatus & nsILoadInfo::HTTPS_ONLY_UNINITIALIZED) {
    httpsOnlyStatus ^= nsILoadInfo::HTTPS_ONLY_UNINITIALIZED;
    httpsOnlyStatus |= nsILoadInfo::HTTPS_ONLY_UPGRADED_LISTENER_NOT_REGISTERED;
    aLoadInfo->SetHttpsOnlyStatus(httpsOnlyStatus);
  }
See Also: → 1701386

Note: in likely-older-dupe bug 1701386, it sounded like we weren't sure how to recreate the setup for this issue in a test.

If that's still the case (i.e. if we don't know how this can happen), I'm happy to do what I can to help, as someone who can reproduce this locally. In particular / for example, I have a pernosco trace of myself hitting the bug that I can share if that's useful.

I debugged it backwards a little bit, and I found that the same-origin iframe does not have HTTPS_ONLY_EXEMPT set in its mHttpsOnlyStatus member-var, even though the outermost iframe does have that flag set. There must be something special about the way the site is loading the iframe, which triggers this, because I can't reproduce that behavior from a trivial testcase that I wrote locally (an http-only page with a same-origin iframe).

Severity: -- → S4
Assignee: nobody → evilpies
Status: NEW → ASSIGNED
Pushed by evilpies@gmail.com: https://hg.mozilla.org/integration/autoland/rev/70d050093e8f Don't upgrade HTTP WebSocket requests of exempt principals. r=ckerschb

https://hg.mozilla.org/mozilla-central/rev/70d050093e8f

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox96: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 96 Branch
Blocks: 1701386
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: