Closed Bug 1738694 Opened 4 years ago Closed 3 years ago

Sec-Fetch-User header is missing when opening a link in a new window

Categories

(Core :: DOM: Security, defect, P2)

Product:
Core
Component:
DOM: Security
Version:
Firefox 93
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
103 Branch
Tracking Flags:
Tracking Status
firefox103 --- fixed

People

(Reporter: github, Assigned: tschuster)

References

(Depends on 1 open bug)

Details

(Whiteboard: [domsecurity-active])

Attachments

(3 files, 1 obsolete file)

Bug 1738694: Add sec-fetch tests for openening new windows. r=ckerschb!
48 bytes, text/x-phabricator-request
Details | Review
Bug 1738694 - Use openLinkIn instead of loadURI. r?gijs
48 bytes, text/x-phabricator-request
Details | Review
Bug 1738694 - Pass around hasValidUserGestureActivation and fromExternal when opening links from the UI or command-line. r?gijs!,edgar!
48 bytes, text/x-phabricator-request
Details | Review

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36

Steps to reproduce:

  1. Open https://lab.xpaw.me/headers.php
  2. Right click on 'random link' and 'open link in new window'

Also missing when opening in new private window.

Actual results:

"HTTP_SEC_FETCH_USER ?1" header is not sent.

Expected results:

Sec-Fetch-User should be sent as it is a user navigation. It works in Chrome. It works when opening in a new tab.

The Bugbug bot thinks this bug should belong to the 'Core::DOM: Networking' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.

Component: Untriaged → DOM: Networking
Product: Firefox → Core

Christoph, can some from your team take a look at this?

Flags: needinfo?(ckerschb)

(In reply to Dragana Damjanovic [:dragana] from comment #2)

Christoph, can some from your team take a look at this?

Niklas, can you take a look?

Blocks: 1508292
Flags: needinfo?(ckerschb) → needinfo?(ngogge)
Component: DOM: Networking → DOM: Security
Severity: -- → S3
Priority: -- → P2
Whiteboard: [domsecurity-active]

Confirming: opening in a new TAB is fine, but it's missing in a new WINDOW (private or not). It's also missing if you open a link in a new Container tab (requires installing the Multi-Account Containers web extension to enable).

Status: UNCONFIRMED → NEW
Ever confirmed: true
Assignee: nobody → ngogge
Status: NEW → ASSIGNED
Flags: needinfo?(ngogge)
Attachment #9250170 - Attachment description: WIP: Bug 1738694: wip → WIP: Bug 1738694: Add sec-fetch tests for openening new windows. r=ckerschb!
Attachment #9251370 - Attachment description: WIP: Bug 1738694: Assume user activation in _handleURIToLoad() r=ckerschb!,edgar → Bug 1738694: Assume user activation in _handleURIToLoad() r=ckerschb!,edgar
Attachment #9250170 - Attachment description: WIP: Bug 1738694: Add sec-fetch tests for openening new windows. r=ckerschb! → Bug 1738694: Add sec-fetch tests for openening new windows. r=ckerschb!
Assignee: ngogge → nobody
Status: ASSIGNED → NEW
Whiteboard: [domsecurity-active]

ni? Christoph to figure out priority of Niklas's bugs

Flags: needinfo?(ckerschb)
Priority: P2 → --

(In reply to Daniel Veditz [:dveditz] from comment #7)

ni? Christoph to figure out priority of Niklas's bugs

Tom, is this something you feel comfortable fixing? Would be nice to have.

Flags: needinfo?(ckerschb) → needinfo?(evilpies)

Sure, but not immediately.

Assignee: nobody → evilpies
Flags: needinfo?(evilpies)
Status: NEW → ASSIGNED
Priority: -- → P2
Whiteboard: [domsecurity-active]
Assignee: evilpies → tschuster
Depends on: 1485961
Attachment #9251370 - Attachment is obsolete: true

There are probably more places that we want to annotate with hasValidTransientUserGestureActivation = true, for
example openUILink. This is more of a POC.

Depends on D147514

Attachment #9278486 - Attachment description: Bug 1738694 - Pass around hasValidTransientUserGestureActivation when opening links from UI. r?gijs!,edgar! → Bug 1738694 - Pass around hasValidUserGestureActivation and fromExternal when opening links from the UI or command-line. r?gijs!,edgar!
Pushed by tschuster@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/50101abad25f Use openLinkIn instead of loadURI. r=Gijs https://hg.mozilla.org/integration/autoland/rev/c8109d217385 Pass around hasValidUserGestureActivation and fromExternal when opening links from the UI or command-line. r=Gijs,edgar https://hg.mozilla.org/integration/autoland/rev/0fcc34c4614e Add sec-fetch tests for openening new windows. r=ckerschb

https://hg.mozilla.org/mozilla-central/rev/50101abad25f
https://hg.mozilla.org/mozilla-central/rev/c8109d217385
https://hg.mozilla.org/mozilla-central/rev/0fcc34c4614e

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox103: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 103 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: