Closed Bug 1732069 Opened 3 years ago Closed 3 years ago

Sec-Fetch-Site inconsistent on localhost/IPs

Categories

(Core :: DOM: Security, defect, P3)

Product:
Core
Component:
DOM: Security
Version:
Firefox 92
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
96 Branch
Tracking Flags:
Tracking Status
firefox96 --- fixed

People

(Reporter: jannis, Assigned: n.goeggi)

References

Details

(Whiteboard: [domsecurity-backlog1])

Attachments

(2 files)

sec-fetch-local.html
456 bytes, text/html
Details
Bug 1732069: Consider loopback origin for Sec-Fetch-Site: same-site r=ckerschb!
48 bytes, text/x-phabricator-request
Details | Review
Attached file sec-fetch-local.html

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:92.0) Gecko/20100101 Firefox/92.0

Steps to reproduce:

For localhost and IPs, requests to localhost/the same ip with a different port the Sec-Fetch-Site header of the request is cross-site instead of same-site.

Actual results:

The request to http://localhost:9000 from http://localhost:9898 has the header Sec-Fetch-Site: cross-site.
The request to http://sub.localhost:9898 from http://localhost:9898 has the header Sec-Fetch-Site: cross-site.

For IPs (e.g., 127.0.0.1) the same happens for ports, subdomains are not applicable.
For a real site (e.g., demo.websec.saarland), requests with a different port or subdomain have Sec-Fech-Site: same-site.

Requests to the same-origin always have Sec-Fetch-Site: same-origin.

Expected results:

The requests to the same-site (only port differs) should have Sec-Fetch-Site: same-site for localhost and IPs.

Localhost is not a proper domain, so subdomains only make limited sense. However, Firefox and other browsers still resolve sub.localhost, so it might make sense to send Sec-Fetch-Site: same-site instead of cross-site on these requests to not confuse developers doing local testing.

Chrome currently sends same-site for a different port (different to Firefox) and cross-site for a localhost "sub"domain (same as Firefox).

The Bugbug bot thinks this bug should belong to the 'Core::DOM: Networking' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.

Component: Untriaged → DOM: Networking
Product: Firefox → Core
Component: DOM: Networking → Security

The severity field is not set for this bug.
:dveditz, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(dveditz)
Severity: -- → S3
Component: Security → DOM: Security
Flags: needinfo?(dveditz)

Niklas, can you take look?

Blocks: 1695911
Flags: needinfo?(ngogge)
Priority: -- → P3
Whiteboard: [domsecurity-backlog1]
Assignee: nobody → ngogge
Flags: needinfo?(ngogge)
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Attachment #9247072 - Attachment description: WIP: Bug 1732069: Consider loopback origin for Sec-Fetch-Site: same-site r=ckerschb! → Bug 1732069: Consider loopback origin for Sec-Fetch-Site: same-site r=ckerschb!
Pushed by mozilla@christophkerschbaumer.com:
https://hg.mozilla.org/integration/autoland/rev/bf0203eb73d7
Consider loopback origin for Sec-Fetch-Site: same-site r=ckerschb

https://hg.mozilla.org/mozilla-central/rev/bf0203eb73d7

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox96: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 96 Branch
Flags: qe-verify+
Flags: qe-verify+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: