Closed Bug 1755317 Opened 3 years ago Closed 3 years ago

Only validate Origin header for remote agent websockets connection if BiDi is enabled

Categories

(Remote Protocol :: Agent, task, P2)

Product:
Remote Protocol
Component:
Agent
Type:
task
Points:
2

Tracking

(firefox98 fixed, firefox99 verified)

Status:
VERIFIED FIXED
Milestone:
99 Branch
Tracking Flags:
Tracking Status
firefox98 --- fixed
firefox99 --- verified

People

(Reporter: jdescottes, Assigned: jdescottes)

References

Details

(Whiteboard: [bidi-m3-mvp])

Attachments

(1 file)

Bug 1755317 - [remote] Only validate origin headers if BiDi is enabled
48 bytes, text/x-phabricator-request
pascalc
: approval-mozilla-beta+
Details | Review

The added host & origin checks from Bug 1720098 have been causing regressions for consumers relying on CDP, mostly because many clients seem to send an origin header and we currently only support an empty one. Eg https://github.com/SeleniumHQ/selenium/issues/10348

Bug 1750689 will allow to configure geckodriver & Firefox to accept custom hosts/origins, but until then we should only check origin headers when RemoteAgent.webDriverBiDi is defined (ie BiDi is enabled). The origin check is problematic, because only Firefox performs this check for now, and there is no escape hatch.

The wdspec test added in Bug 1720098 is disabled on beta and release (where bidi is also disabled), so it shouldn't be impacted by this change.

When BiDi is disabled, skip the origin header check to support existing CDP clients.

Pushed by jdescottes@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/61aa370c00dd [remote] Only validate origin headers if BiDi is enabled r=webdriver-reviewers,whimboo

https://hg.mozilla.org/mozilla-central/rev/61aa370c00dd

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox99: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 99 Branch

Comment on attachment 9263826 [details]
Bug 1755317 - [remote] Only validate origin headers if BiDi is enabled

Beta/Release Uplift Approval Request

Those checks were only intended for the WebDriver BiDi implementation so this patch disables the origin check when WebDriver BiDi is disabled (which is the case on Beta & Release)

  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Small javascript change with unit tests, we are just making a check introduced in Firefox 98 optional for a certain configuration.
  • String changes made/needed:
Attachment #9263826 - Flags: approval-mozilla-beta?

I can verify that it's working fine when testing with a WebSocket client that sends an origin header and by disabling WebDriver BiDi in a Nightly build.

Status: RESOLVED → VERIFIED
status-firefox99: fixedverified

Comment on attachment 9263826 [details]
Bug 1755317 - [remote] Only validate origin headers if BiDi is enabled

Approved for 98 beta 6, thanks.

Attachment #9263826 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Points: --- → 2
Whiteboard: [webdriver:triage] → [bidi-m3-mvp]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: