Closed Bug 1800990 Opened 3 years ago Closed 3 years ago

Incorrect Origin after scheme upgrade (UIR/HSTS/extension upgradeToSecure), breaks non-wildcard CORS checks

Categories

(Core :: Networking: HTTP, defect, P1)

Product:
Core
Component:
Networking: HTTP
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
109 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- unaffected
firefox107 --- wontfix
firefox108 --- wontfix
firefox109 --- verified

People

(Reporter: robwu, Assigned: kershaw)

References

(Regression)

Details

(Keywords: regression, Whiteboard: [necko-triaged][necko-priority-queue])

Attachments

(1 file)

Bug 1800990 - Don't taint redirected channel for HSTS upgrade, r=freddyb,robwu
48 bytes, text/x-phabricator-request
Details | Review

After an (internal) scheme upgrade (whether HSTS or upgrade-insecure-request or internal upgradeToSecure in extensions), Firefox sends Origin: null but internally uses the original origin for CORS access checks. Consequently, the CORS check fails and the request is blocked. The only available work-around is for the server to respond with a wildcard (ACAO: *), but this fails when wildcards are not allowed, e.g. when a request includes credentials.

STR:

  1. Visit https://jsfiddle.net/0kq28zgj/1/. This page sets up automatic upgrades from http to https via UIR, and then triggers a cross-origin request to a destination that mirrors the Origin request header back in the Access-Control-Allow-Origin response header. The relevant code is: 
    m = document.createElement("meta");
m.httpEquiv="Content-Security-Policy";
m.content="upgrade-insecure-requests";
document.head.append(m);
// send request to server that mirrors Origin in Access-Control-Allow-Origin
fetch("http://polished-glitter-21ad.hvfcetgxgijelkmhxy.workers.dev/", {credentials:"include"})
.then(() => "CORS request succeeded", () => "CORS request failed")
.then(result => { document.body.textContent = result; });

Expected:

  • The request should succeed (and get the 404 status that the test server sends).

Actual:

For comparison, Safari and Chrome send the original origin (not null), and the request succeeds.

The behavior for this scenario is not in any standard, but I have filed a report at https://github.com/w3c/webappsec-upgrade-insecure-requests/issues/32

See Also: → 1789308

Hi Tom,

Since you have been working on origin header, you might be the best one to have a look here.
What do you think? Feel free to bounce back if you don't have time. Thanks.

Flags: needinfo?(tschuster)

This is caused by redirect tainting in Firefox (tested by disabling network.http.origin.redirectTainted). I guess we could extend bug 1781772 to also cover redirects caused by upgrade-insecure-requests.

Flags: needinfo?(tschuster)
See Also: → 1781772
Regressed by: 1605305

Set release status flags based on info from the regressing bug 1605305

status-firefox107: --- → affected
status-firefox108: --- → affected
status-firefox109: --- → affected
status-firefox-esr102: --- → unaffected
Severity: -- → S3
Priority: -- → P1
Whiteboard: [necko-triaged][necko-priority-queue]
Assignee: nobody → kershaw
Pushed by kjang@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/8c1071a3eae0 Don't taint redirected channel for HSTS upgrade, r=robwu,necko-reviewers,tschuster

https://hg.mozilla.org/mozilla-central/rev/8c1071a3eae0

Status: NEW → RESOLVED
Closed: 3 years ago
status-firefox109: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 109 Branch
Flags: qe-verify+

I have reproduced this issue with STR from comment 0, on an affected Nightly build (2022-11-16) running macOS 11.

The issue is verified as fixed on Beta 109.0b5 across OSes: Win 10 x64, macOS 11 and Ubuntu 18.04 x64.

Status: RESOLVED → VERIFIED
status-firefox109: fixedverified
Flags: qe-verify+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: