HTTPS-only mode drops origin header from media requests with crossorigin=anonymous
Categories
(Core :: DOM: Security, defect, P2)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr91 | --- | unaffected |
firefox-esr102 | --- | unaffected |
firefox103 | --- | disabled |
firefox104 | --- | disabled |
firefox105 | --- | disabled |
firefox106 | --- | wontfix |
firefox109 | --- | wontfix |
firefox110 | --- | wontfix |
firefox111 | --- | fixed |
People
(Reporter: denschub, Assigned: kershaw)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: regression, regressionwindow-wanted, Whiteboard: [domsecurity-active])
Attachments
(2 files, 1 obsolete file)
The attached testcase is building an <img>
with crossOrigin = "anonymous"
and is attaching a HTTP URL:
let image = new Image();
image.crossOrigin = "anonymous";
image.src = "http://placekitten.com/200/300";
In Firefox with HTTPS-only enabled, the request to the image file is sent with the header
Origin: null
And unfortunately, this breaks a governmental archive site in Denmark...
Comment 1•2 years ago
|
||
If you set a request to anonymous aren't we supposed to drop the Origin header for a GET? We shouldn't sent Origin: null
in that case though, since that indicates a CORS request but one that can't use the actual origin for various reasons (e.g. redirect chains)
Is this a regression? Tom did some recent work in this area.
From the webcompat bug
The site, which is served via HTTPS, is trying to load the image via HTTP. In Chrome, it gets upgraded by their mixed-content auto-upgrade-magic, and it works correctly. In a fresh Firefox profile with HTTPS-only mode diasabled, it works just fine for me. However, with HTTPS-only mode enabled, it breaks as shown here.
The original breaking URL:
Description: Cannot show pictures from the scanned church records on the page
Steps to Reproduce:
Go to any subpage (eg. https://www.sa.dk/ao-soegesider/da/billedviser?epid=17114393#148846,24601867 ) that is meant to show an image of a chruch record and you will get an error. Test the same in any other browser, you will see the image of the page.
Comment 2•2 years ago
|
||
This does work in ESR-91.11 so it is a regression (probably more recent than that, it was handy).
Tom: can you take a look?
Updated•2 years ago
|
Comment 3•2 years ago
|
||
This is related to the redirect tainting we do since bug 1605305. Disabling the pref network.http.origin.redirectTainted
fixes this.
Comment 4•2 years ago
|
||
Set release status flags based on info from the regressing bug 1605305
Comment 5•2 years ago
|
||
We could potentially check if the request was upgraded by HTTPS only mode and not apply tainting in that case?
Reporter | ||
Comment 6•2 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #1)
If you set a request to anonymous aren't we supposed to drop the Origin header for a GET?
If that's the case, this would also be a bug worth filing for Chrome, because they set the origin header in the request.
Assignee | ||
Comment 7•2 years ago
|
||
(In reply to Tom Schuster (MoCo) from comment #5)
We could potentially check if the request was upgraded by HTTPS only mode and not apply tainting in that case?
This sounds reasonable to me.
Comment 8•2 years ago
|
||
If you set a request to anonymous aren't we supposed to drop the Origin header for a GET?
I don't think that is correct. The spec wants us to send the Origin header for all "CORS tainted" requests. Anonymous or use-credentials isn't even considered. (https://fetch.spec.whatwg.org/#append-a-request-origin-header Step 2.)
Updated•2 years ago
|
Comment 9•2 years ago
|
||
Comment 10•2 years ago
|
||
The severity field for this bug is set to S3. However, this bug has a P1 WebCompat priority.
:tschuster, could you consider increasing the severity of this web compatibility bug?
For more information, please visit auto_nag documentation.
Comment 11•2 years ago
|
||
No. HTTPS-only mode isn't enabled by default as far as I know.
Reporter | ||
Comment 12•2 years ago
|
||
HTTPS-only mode isn't enabled by default as far as I know.
This is true, dropping the WebCompat priority accordingly.
Updated•2 years ago
|
Updated•2 years ago
|
Comment 13•2 years ago
|
||
Could you take a look at the patch? I think the approach should work, but I have some open questions.
Updated•2 years ago
|
Assignee | ||
Comment 14•2 years ago
|
||
(In reply to Tom Schuster (MoCo) from comment #13)
Could you take a look at the patch? I think the approach should work, but I have some open questions.
I've replied on phab.
Comment 15•2 years ago
|
||
Set release status flags based on info from the regressing bug 1605305
Updated•2 years ago
|
Comment 16•2 years ago
|
||
Hi Kershaw. I am a bit stuck on this, because it seems like we now also ignore redirects from one HTTP to another HTTP site that are different origin, but were both upgraded.
Assignee | ||
Comment 17•2 years ago
|
||
(In reply to Tom Schuster (MoCo) from comment #16)
Hi Kershaw. I am a bit stuck on this, because it seems like we now also ignore redirects from one HTTP to another HTTP site that are different origin, but were both upgraded.
Sorry, I don't quite understand.
Can you provide a concrete example?
I imagine the case you described would be like:
- Go to http://example.com
- Upgrade to https://example.com because of HTTPS-only mode.
We don't mark this request as tainted. - We connect to the server and the server redirects to http://example.org
At this point, this request should be marked as tainted. - Upgrade to https://example.org.
We should keep the tainted flag.
Do I understand your question correctly?
Comment 18•2 years ago
|
||
I think you've got the idea. I have to following test case that shows that we don't apply tainting properly, because we treat everything as an upgrade with the current patch.
Go to example.com (with HTTPS only mode enabled) and execute the following in the web console:
let image = new Image();
image.crossOrigin = "anonymous";
image.src = "http://httpbin.org/redirect-to?url=http%3A%2F%2Fplacekitten.com%2F200%2F300";
ShouldTaintReplacementChannelOrigin
mURI = http://httpbin.org/redirect-to?url=http%3A%2F%2Fplacekitten.com%2F200%2F300 aNewURI = https://httpbin.org/redirect-to?url=http%3A%2F%2Fplacekitten.com%2F200%2F300
detected HTTPS Only
NO taint!
ShouldTaintReplacementChannelOrigin
mURI = http://httpbin.org/redirect-to?url=http%3A%2F%2Fplacekitten.com%2F200%2F300 aNewURI = https://httpbin.org/redirect-to?url=http%3A%2F%2Fplacekitten.com%2F200%2F300
detected HTTPS Only
NO taint!
ShouldTaintReplacementChannelOrigin
mURI = https://httpbin.org/redirect-to?url=http%3A%2F%2Fplacekitten.com%2F200%2F300 aNewURI = http://placekitten.com/200/300
detected HTTPS Only
NO taint!
ShouldTaintReplacementChannelOrigin
mURI = https://httpbin.org/redirect-to?url=http%3A%2F%2Fplacekitten.com%2F200%2F300 aNewURI = http://placekitten.com/200/300
detected HTTPS Only
NO taint!
ShouldTaintReplacementChannelOrigin
mURI = http://placekitten.com/200/300 aNewURI = https://placekitten.com/200/300
detected HTTPS Only
NO taint!
ShouldTaintReplacementChannelOrigin
mURI = http://placekitten.com/200/300 aNewURI = https://placekitten.com/200/300
detected HTTPS Only
NO taint!
Comment 19•1 year ago
|
||
Could you look at this? I am not an expert in the networking code so fixing this myself is quite a bit harder.
Assignee | ||
Comment 20•1 year ago
|
||
(In reply to Tom Schuster (MoCo) from comment #19)
Could you look at this? I am not an expert in the networking code so fixing this myself is quite a bit harder.
I think this is fixed by bug 1800990, but I'll still try to add a test for this.
Hope you don't mind that I take this bug from you.
Assignee | ||
Comment 21•1 year ago
|
||
Comment 22•1 year ago
|
||
Thank you for picking this up!
Updated•1 year ago
|
Comment 23•1 year ago
|
||
There's a r+ patch which didn't land and no activity in this bug for 2 weeks.
:kershaw, could you have a look please?
If you still have some work to do, you can add an action "Plan Changes" in Phabricator.
For more information, please visit auto_nag documentation.
Assignee | ||
Comment 24•1 year ago
|
||
I'll land this.
Comment 25•1 year ago
|
||
Pushed by kjang@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/8da627ca762f Test redirect tainting with Https-only mode, r=tschuster
Comment 26•1 year ago
|
||
bugherder |
Updated•1 year ago
|
Updated•1 year ago
|
Description
•