Only validate Origin header for remote agent websockets connection if BiDi is enabled
Categories
(Remote Protocol :: Agent, task, P2)
Tracking
(firefox98 fixed, firefox99 verified)
People
(Reporter: jdescottes, Assigned: jdescottes)
References
Details
(Whiteboard: [bidi-m3-mvp])
Attachments
(1 file)
48 bytes,
text/x-phabricator-request
|
pascalc
:
approval-mozilla-beta+
|
Details | Review |
The added host & origin checks from Bug 1720098 have been causing regressions for consumers relying on CDP, mostly because many clients seem to send an origin header and we currently only support an empty one. Eg https://github.com/SeleniumHQ/selenium/issues/10348
Bug 1750689 will allow to configure geckodriver & Firefox to accept custom hosts/origins, but until then we should only check origin headers when RemoteAgent.webDriverBiDi
is defined (ie BiDi is enabled). The origin check is problematic, because only Firefox performs this check for now, and there is no escape hatch.
The wdspec test added in Bug 1720098 is disabled on beta and release (where bidi is also disabled), so it shouldn't be impacted by this change.
Assignee | ||
Comment 1•3 years ago
|
||
When BiDi is disabled, skip the origin header check to support existing CDP clients.
Comment 3•3 years ago
|
||
bugherder |
Assignee | ||
Comment 4•3 years ago
|
||
Comment on attachment 9263826 [details]
Bug 1755317 - [remote] Only validate origin headers if BiDi is enabled
Beta/Release Uplift Approval Request
- User impact if declined: Existing users of Firefox Remote Protocol (our CDP implementation) might be unable to connect due to new checks on the origin and host headers of incoming connections. See https://github.com/SeleniumHQ/selenium/issues/10348
Those checks were only intended for the WebDriver BiDi implementation so this patch disables the origin check when WebDriver BiDi is disabled (which is the case on Beta & Release)
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Small javascript change with unit tests, we are just making a check introduced in Firefox 98 optional for a certain configuration.
- String changes made/needed:
I can verify that it's working fine when testing with a WebSocket client that sends an origin header and by disabling WebDriver BiDi in a Nightly build.
Comment 6•3 years ago
|
||
Comment on attachment 9263826 [details]
Bug 1755317 - [remote] Only validate origin headers if BiDi is enabled
Approved for 98 beta 6, thanks.
Comment 7•3 years ago
|
||
bugherder uplift |
Assignee | ||
Updated•3 years ago
|
Updated•3 years ago
|
Description
•