Sec-Fetch-Site inconsistent on localhost/IPs
Categories
(Core :: DOM: Security, defect, P3)
Tracking
()
Tracking | Status | |
---|---|---|
firefox96 | --- | fixed |
People
(Reporter: jannis, Assigned: n.goeggi)
References
Details
(Whiteboard: [domsecurity-backlog1])
Attachments
(2 files)
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:92.0) Gecko/20100101 Firefox/92.0
Steps to reproduce:
For localhost and IPs, requests to localhost/the same ip with a different port the Sec-Fetch-Site header of the request is cross-site instead of same-site.
- Download the attached file
- Run a local web server on port 9898 (e.g.,
php -S 0.0.0.0:9898
) - Visit http://localhost:9898/sec-fetch-local.html
- Open the dev tools and observe the Sec-Fetch-Site header of the requests
(- VIsit https://demo.websec.saarland/static/sec-fetch-realsite.html to check a non-localhost site - Change localhost to 127.0.0.1 in the local file and visit http://127.0.0.1:9898/sec-fetch-local.html)
Actual results:
The request to http://localhost:9000 from http://localhost:9898 has the header Sec-Fetch-Site: cross-site
.
The request to http://sub.localhost:9898 from http://localhost:9898 has the header Sec-Fetch-Site: cross-site
.
For IPs (e.g., 127.0.0.1) the same happens for ports, subdomains are not applicable.
For a real site (e.g., demo.websec.saarland), requests with a different port or subdomain have Sec-Fech-Site: same-site
.
Requests to the same-origin always have Sec-Fetch-Site: same-origin
.
Expected results:
The requests to the same-site (only port differs) should have Sec-Fetch-Site: same-site
for localhost and IPs.
Localhost is not a proper domain, so subdomains only make limited sense. However, Firefox and other browsers still resolve sub.localhost, so it might make sense to send Sec-Fetch-Site: same-site
instead of cross-site
on these requests to not confuse developers doing local testing.
Chrome currently sends same-site
for a different port (different to Firefox) and cross-site
for a localhost "sub"domain (same as Firefox).
Comment 1•3 years ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::DOM: Networking' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.
Updated•3 years ago
|
Comment 2•3 years ago
|
||
The severity field is not set for this bug.
:dveditz, could you have a look please?
For more information, please visit auto_nag documentation.
Updated•3 years ago
|
Comment 3•3 years ago
|
||
Niklas, can you take look?
Updated•3 years ago
|
Updated•3 years ago
|
Pushed by mozilla@christophkerschbaumer.com: https://hg.mozilla.org/integration/autoland/rev/bf0203eb73d7 Consider loopback origin for Sec-Fetch-Site: same-site r=ckerschb
Comment 6•3 years ago
|
||
bugherder |
Updated•3 years ago
|
Updated•3 years ago
|
Description
•