No CORS check for differing ports on localhost/IPs with HTTPS-only mode enabled
Categories
(Core :: DOM: Security, defect)
Tracking
()
People
(Reporter: jannis, Assigned: freddy)
References
(Blocks 1 open bug)
Details
Attachments
(1 file)
|
356 bytes,
text/html
|
Details |
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:101.0) Gecko/20100101 Firefox/101.0
Steps to reproduce:
- Download the
attack.html - Run two local servers:
python3 -m http.server 8000python3 -m http.server 8001
- Visit:
http://localhost:8000/attack.htmlandhttp://127.0.0.1:8000/attack.html - The attack pages issue fetch requests to the other server
Actual results:
The fetch request to a same-site page with differing port succeeds. No CORS violation is thrown. The fetch request to the cross-site page fails as expected.
Expected results:
CORS should block reading of all cross-origin responses/throw a CORS violation.
|
||
Updated•3 years ago
|
|
||
Updated•3 years ago
|
|
|
||
Comment 1•3 years ago
|
||
When I run the test, I get "CORS blocked localhost!" and "CORS blocked 127.0.0.1!" both with
http://localhost:8000/attack.html and http://127.0.0.1:8000/attack.html
What am I missing here?
(I was testing Nightly and Chrome, both have the same behavior)
Seems like the bug only occurs if HTTPS-Only Mode is enabled.
|
|
||
Updated•3 years ago
|
|
|
||
Updated•3 years ago
|
|
Assignee | |
Updated•3 years ago
|
|
||
Updated•3 years ago
|
|
|
Assignee | |
Updated•3 years ago
|
|
||
Comment 3•3 years ago
|
||
This might be a variant of the bug where we forget some security context when we do an upgrade.
|
|
||
Comment 4•3 years ago
|
||
If this is restricted to localhost (which already has special handling) this is probably sec-moderate. If it happens with arbitrary domains then it's sec-high.
|
|
||
Updated•3 years ago
|
|
||
Comment 5•3 years ago
•
|
||
We have a test case for https-only mode which can be adjusted to test that behavior. Running the adjusted test shows that this bug is not working for an arbitrary host.
Steps to Reproduce test result:
-
Go to https://searchfox.org/mozilla-central/source/dom/security/test/https-only/browser_cors_mixedcontent.js
and use instead of "example.com" (because there is no http version ofexample.comwith a different port, see https://searchfox.org/mozilla-central/source/build/pgo/server-locations.txt#74,82,89 ) "example.org" assameOrigin
and "example.org:8000" ascrossOrigin. -
To do step one you also have to adjust the support file: https://searchfox.org/mozilla-central/source/dom/security/test/https-only/file_cors_mixedcontent.html#13,20
-
Comment out all tests till line 51 in
dom/security/test/https-only/browser_cors_mixedcontent.js(unneeded tests and since localhost doesn't get upgraded to https it wouldn't simulate the test we want to proccess). -
From line 51-74 we should have something like that
// HTTPS-Only enabled, with exception
await SpecialPowers.pushPermissions([
{
type: "https-only-load-insecure",
allow: true,
context: "http://example.org",
},
]);
await SpecialPowers.pushPermissions([
{
type: "https-only-load-insecure",
allow: true,
context: "http://example.org:8000",
},
]);
await runTest({
description: "Load site with HTTP, HOM enabled but site exempt",
topLevelScheme: "http",
expectedSameOrigin: "success", // ok
expectedCrossOrigin: "error", // CORS
});
- Run. Result :
"Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://example.org:8000/...
|
|
||
Comment 6•3 years ago
•
|
||
This bug might be related to https://bugzilla.mozilla.org/show_bug.cgi?id=1751105
|
|
||
Comment 7•3 years ago
|
||
Thanks Tomer! yes, these are the same
Description
•