Closed Bug 1800916 Opened 2 years ago Closed 2 years ago

Cannot select or click html response web developer tools - network tab

Categories

(DevTools :: Netmonitor, defect, P2)

Product:
DevTools
Component:
Netmonitor
Version:
Firefox 107
Platform:
Unspecified
All
Type:
defect

Tracking

(firefox-esr102 unaffected, firefox107 wontfix, firefox108 wontfix, firefox109 wontfix, firefox110 wontfix, firefox111 verified, firefox112 verified)

Status:
VERIFIED FIXED
Milestone:
112 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- unaffected
firefox107 --- wontfix
firefox108 --- wontfix
firefox109 --- wontfix
firefox110 --- wontfix
firefox111 --- verified
firefox112 --- verified

People

(Reporter: pavlovp, Assigned: ochameau)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression)

Attachments

(2 files)

Bug 1800916 - [devtools] Allow interactions with HTML previews in netmonitor.
48 bytes, text/x-phabricator-request
dmeehan
: approval-mozilla-beta+
Details | Review
2023-02-20_18h15_40.mp4
7.81 MB, video/mp4
Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0

Steps to reproduce:

Debugging responses from web app.

Actual results:

When response is in rendered html format I cannot copy any parts of it.

Expected results:

I would like to be able to copy rendered html response.

Status: UNCONFIRMED → NEW
Type: defect → enhancement
Component: Untriaged → Netmonitor
Ever confirmed: true
OS: Unspecified → All
Product: Firefox → DevTools
Type: enhancement → defect

Can you share more details? If you are using the "Response" panel in the Network tab of DevTools, you can click on the "raw" toggle to see the raw response.

Note that we also had a bug with HTML previews which were rendered blank in many cases, this was fixed in Bug 1797952 (released in Firefox 108), but even then you should be able to use the "raw" toggle I mentioned.

Flags: needinfo?(pavlovp)

Hey, sorry for the lack of details. So, on raw toggle I can copy everything, but on html view cannot copy anything. Noticed that cursor is changing over elements - behaving like real rendered html page, on input it becomes like you can click and write, on button it becomes hand to click etc. About the raw input - it is not very useful for me as I use symfony/var-dumper php package, which returns flavored html dump. So today I've made some tests on my machine and here are some details:

Ubuntu Studio 22.04
KDE Plasma Version: 5.24.6
KDE Frameworks Version: 5.92.0
Qt Version: 5.15.3
Kernel Version: 5.15.0-53-lowlatency (64-bit)
Graphics Platform: X11
Processors: 8 × 11th Gen Intel® Core™ i5-1135G7 @ 2.40GHz
Memory: 31.0 GiB of RAM
Graphics Processor: Mesa Intel® Xe Graphics

Firefox 107.0
Firefox Developer Edition 108.0b2 (64-bit) With add-ons turned off

Windows 10 Pro
Version: 21H2
OS Build: 19044.1645

Firefox and Firefox Developer Edition

I forgot to look at versions but I've updated them before test.
Both OSs on the same machine.

Flags: needinfo?(pavlovp)

Thanks for the additional info!

So you would like to be able to simply select text in the HTML preview. I can see that this is possible in Chrome, although they also process clicks on links in the preview which triggers unexpected navigations.

On our side, we block all mousedown events in the preview at https://searchfox.org/mozilla-central/rev/2f47e3dacf0d773e9c7f363cecf10cfbea490679/devtools/client/netmonitor/src/components/previews/HtmlPreview.js#30-32

We would need a way to prevent links from working but still allow selection.

Blocks: netmonitor-preview

Just tried previous version (106.0.5 (64-bit)) and it is possible to select text and nothing happens when clicking on elements or links.

Thanks for checking, then it must have regressed with Bug 1640689.

Regressed by: 1640689

Set release status flags based on info from the regressing bug 1640689

:ochameau, since you are the author of the regressor, bug 1640689, could you take a look? Also, could you set the severity field?

For more information, please visit auto_nag documentation.

status-firefox107: --- → affected
status-firefox108: --- → affected
status-firefox109: --- → affected
status-firefox-esr102: --- → unaffected
Flags: needinfo?(poirot.alex)

:Honza could this be triaged for priority/severity?

Flags: needinfo?(odvarko)
Flags: needinfo?(odvarko)
Whiteboard: [devtools-triage]

Unfortunately, this is tricky. I'm not aware of any flag on DocShell/BrowsingContext/FrameLoader to prevent navigations.
And this code runs in a distinct process as the loaded document so we only receive mouse events on the <iframe> element, so that we can't differentiate events against links versus others.

Flags: needinfo?(poirot.alex)

-moz-user-focus: ignore; rule set on the <iframe> should be removed to allow selection.

Moving from mousedown to mouseup allow (+removing user-focus ignore) allow to select and copy (while still disabling links).
But when we mouseup... the selection is no longer stopped and moving the mouse around will keep changing the selection.

I tried using beforeunload but it doesn't seem to be triggered in this setup.

If we consider contributing to C++ codebase there might be something to do around this IsNavigationAllowed method:
https://searchfox.org/mozilla-central/rev/5a49163b7012ded5fa1c4da5aa4f8d3f7c85a5e7/docshell/base/nsDocShell.cpp#3320-3333
For now, we only disallow all navigation in case of print preview. We could consider introducing a flag on BrowsingContext to disallow all navigations.

smaug, This is about the patch your reviewed to preview the HTML of network requests.
We have to prevent any kind of navigations when we display these previews.
For now I've been using iframe.onmousedown = e=>e.preventDefault(), but this prevents selecting text and copying it to clipboard.

Is there some other way to disallow all navigation for a given iframe? Or would you consider the addition of BrowsingContext.isNavigationBlocked boolean (or something similar)?

Flags: needinfo?(smaug)
Severity: -- → S3
Priority: -- → P2

A BrowsingContext flag sounds reasonable to me.

Flags: needinfo?(smaug)

Just to explain why this worked before bug 1640689: we used a sandbox="" HTML iframe which disallowed navigation.
We now use a XUL iframe to be able to set type=content and remote=true, but this also means we lose the support for sandbox.

Oh! sandboxFlags are exposed on BrowsingContext and can be set.
iframe.browsingContext.sandboxFlags = 0xFFFF; should be an equivalent of <iframe sandbox=""> that we used to do.

Unfortunately, this seems to be ignored for xul:browser. May be over there? It is specific to html iframes:
https://searchfox.org/mozilla-central/rev/fadd0a14d2a2724ee4733ef73970a2ddd457a43f/dom/base/nsFrameLoader.cpp#2313-2321

Duplicate of this bug: 1804290

(In reply to Alexandre Poirot [:ochameau] from comment #14)

Oh! sandboxFlags are exposed on BrowsingContext and can be set.
iframe.browsingContext.sandboxFlags = 0xFFFF; should be an equivalent of <iframe sandbox=""> that we used to do.

Unfortunately, this seems to be ignored for xul:browser. May be over there? It is specific to html iframes:
https://searchfox.org/mozilla-central/rev/fadd0a14d2a2724ee4733ef73970a2ddd457a43f/dom/base/nsFrameLoader.cpp#2313-2321

Olli, do you know if we could apply the sandbox flags to a XUL iframe, or if there is another way to prevent any navigation without blocking mousedown (and therefore text selection)?

Flags: needinfo?(smaug)

Perhaps we could support sandbox also on xul:browser, that might be the easiest solution here?

Flags: needinfo?(smaug)

(In reply to Olli Pettay [:smaug][bugs@pettay.fi] from comment #17)

Perhaps we could support sandbox also on xul:browser, that might be the easiest solution here?

Sounds good, do you have pointers do start working on this, could you mentor one of us to fix this bug?

Flags: needinfo?(smaug)
Whiteboard: [devtools-triage]

See how sandbox is implemented for html:iframe? like the link you provided here :)

And I can help when needed.

Flags: needinfo?(smaug)
Duplicate of this bug: 1807170
Summary: Cannot copy html response web developer tools - network tab → Cannot select or click html response web developer tools - network tab

(In reply to Alexandre Poirot [:ochameau] from comment #14)

Oh! sandboxFlags are exposed on BrowsingContext and can be set.
iframe.browsingContext.sandboxFlags = 0xFFFF; should be an equivalent of <iframe sandbox=""> that we used to do.

Unfortunately, this seems to be ignored for xul:browser. May be over there? It is specific to html iframes:
https://searchfox.org/mozilla-central/rev/fadd0a14d2a2724ee4733ef73970a2ddd457a43f/dom/base/nsFrameLoader.cpp#2313-2321

So sandbox flags on xul:iframe aren't going throught that code. nsFrameLoader::MaybeCreateDocShell isn't called for the iframe created by the netmonitor:
https://searchfox.org/mozilla-central/rev/270f0ed2146821e239232728adac41a3de41131b/devtools/client/netmonitor/src/components/previews/HtmlPreview.js#26-37

   const iframe = container.ownerDocument.createXULElement("iframe");
    iframe.setAttribute("type", "content");
    iframe.setAttribute("remote", "true");

I imagine that's because it is remote?

(In reply to Olli Pettay [:smaug][bugs@pettay.fi] from comment #19)

See how sandbox is implemented for html:iframe? like the link you provided here :)

And I can help when needed.

I tried various ways to do ApplySandboxFlags for xul:iframe without any success:

  • nsFrameLoader::MaybeCreateDocShell isn't called for these dom elements
  • XULFrameElement::AfterSetAttr is called for nsGkAtoms::sandbox, but mFrameLoader is null
  • from XULFrameElement::LoadSrc, mFrameLoader->GetExtantBrowsingContext() is also null
    I haven't identified any obvious place where to apply BrowsingContext.sandboxFlags based on DOM "sandbox" attribute.

But I tried doing it in JS from the netmonitor code creating the iframe:

    const iframe = container.ownerDocument.createXULElement("iframe");
    iframe.setAttribute("type", "content");
    iframe.setAttribute("remote", "true");
    container.appendChild(iframe);
    iframe.browsingContext.sandboxFlags = 0xFFFFF;

For some reason, the sandboxFlags are ignored.
But that puzzles me as this is read without any condition:
https://searchfox.org/mozilla-central/search?q=symbol:_ZNK7mozilla3dom15BrowsingContext15GetSandboxFlagsEv&redirect=false

So I would appreciate some help to make sandboxFlags work for xul:iframe.
Otherwise I can fallback on hacking DocShell::IsNavigationAllowed and introduce yet another BC field:
https://searchfox.org/mozilla-central/rev/270f0ed2146821e239232728adac41a3de41131b/docshell/base/nsDocShell.cpp#3298-3311

Flags: needinfo?(smaug)

Otherwise, I was wondering if we should immediately relax restrictions and remove this problematic code:
https://searchfox.org/mozilla-central/rev/df68a65540f2227e27a12ed0b491188e2927f6d5/devtools/client/netmonitor/src/components/previews/HtmlPreview.js#30-32

    iframe.addEventListener("mousedown", e => e.preventDefault(), {
      capture: true,
    });

This is a workaround to disallow any navigation using <a> or <form>.
This is covered by this particular part of the test:
https://searchfox.org/mozilla-central/rev/df68a65540f2227e27a12ed0b491188e2927f6d5/devtools/client/netmonitor/test/browser_net_html-preview.js#101-115

I'm not sure it is so problematic to have navigations to work.
The regressing bug 1640689 actually improved security here by finally using <xul:iframe type="content" remote="true">.
So that any content loaded in this iframe element is loaded:

  1. in a content process, instead of parent process before!
  2. as a content document, we were only using sandbox attribute before!
    With this new setup, I think we could potentially load any document almost safely?

So that letting links/form do navigation would only be a UX issue as it can be sometimes confusing and there is no way to navigate back.
But I imagine it is still better to allow this little confusion than keeping the restriction that bugs everyone here.

It might be misleading to allow interactions with HTML previews.
Links/forms may navigate to another URL without any way to navigate back.
But it sounds unlikely this will lead to major security issue,
while letting users copy and paste partial pieces of these previews.

Assignee: nobody → poirot.alex
Status: NEW → ASSIGNED

For now, we will allow interactions and some navigation may happen in the preview iframe.
We would need to followup on comment 22 to block navigation without blocking copy/paste.

Flags: needinfo?(smaug)
Pushed by apoirot@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/d5722560ec79 [devtools] Allow interactions with HTML previews in netmonitor. r=devtools-reviewers,bomsy

Backed out for causing devtools failures on /browser_webconsole_network_messages_html_preview.js

Flags: needinfo?(poirot.alex)

Cristian, I removed this assertion in this patch... so this backout doesn't look justified.

And I had a green-enough try before pushing (without this failure):
https://treeherder.mozilla.org/jobs?repo=try&selectedTaskRun=B9dusBOSSIev5Dfkb033rg.0&revision=1a2fe7a76bc00fdcce82f66868eb1e58d49f8727

Flags: needinfo?(poirot.alex) → needinfo?(ctuns)

Oh sorry, I was confused because we were having two distinct tests with the exact same assertion and I missed removing the assertion in the second test!

Flags: needinfo?(poirot.alex)

I was also confused by the fact that this other test doesn't run on windows while I'm used to push to try only for linux...

Pushed by apoirot@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/25d4eedf4e67 [devtools] Allow interactions with HTML previews in netmonitor. r=devtools-reviewers,bomsy

https://hg.mozilla.org/mozilla-central/rev/25d4eedf4e67

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox112: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 112 Branch

Comment on attachment 9316340 [details]
Bug 1800916 - [devtools] Allow interactions with HTML previews in netmonitor.

Beta/Release Uplift Approval Request

  • User impact if declined: Can't select copy and paste anything from netmonitor HTML previews
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: No
  • If yes, steps to reproduce: Open the netmonitor, load any page on http/https, select the html page request in the netmonitor and open the Response panel on the right.
    You should be able to copy paste anything in the HTML preview.
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): The patch is specific to this focused UI component and only release a restriction which has recently been added.
  • String changes made/needed:
  • Is Android affected?: No
Attachment #9316340 - Flags: approval-mozilla-beta?

Comment on attachment 9316340 [details]
Bug 1800916 - [devtools] Allow interactions with HTML previews in netmonitor.

Approved for 111.0b2

Attachment #9316340 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

Thank you very much <3

QA Whiteboard: [qa-triaged]

Hi @Alexandre Poirot , I'm having some difficulties verifying the fix on this issue, I load a page like https://en.wikipedia.org/wiki/Main_Page , open the Network tab in our Dev tools, select the HTML tab from the right panel and then the Response tab.

In our Firefox Release 110 I am unable to select anything from the right panel.
In our Beta 111.0b3 and our latest Nightly build I can select the text but It will not copy anything when Ctrl C is hit on the keyboard.
In our Esr 102.8 I can Select and Copy anything without issues.

Am I missing something ? am I nothing trying to copy from the right place ? Ill attach a screen recording of my issue from all versions.

Flags: needinfo?(poirot.alex)
Depends on: 1817857

Thanks a lot Rares, you are right, I missed that copy wasn't working... I opened bug 1817857 to fix this.

Flags: needinfo?(poirot.alex)

Marking this issue Verified as fixed because the user is able to click and select inside the Network Panel and because we have Bug 1817857 for the Copy and Paste issue. Thanks @Alexandre

Status: RESOLVED → VERIFIED
QA Whiteboard: [qa-triaged]
status-firefox111: fixedverified
status-firefox112: fixedverified
Flags: qe-verify+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: