webRequest.onHeadersReceived: Multiple Set-Cookie headers are merged into one with newline separator
Categories
(WebExtensions :: Request Handling, defect, P3)
Tracking
(firefox108 affected, firefox109 affected, firefox110 affected)
People
(Reporter: sagawa.aki+moz, Unassigned)
Details
Attachments
(2 files)
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0
Steps to reproduce:
I noticed a certain ad-blocker add-on doesn't filter Set-Cookie header properly. Debugging the issue, I found multiple Set-Cookie headers are merged into one in Firefox and they aren't in Edge. Bug 1600556 is slightly similar to this case. However, Set-Cookie values are concatenated with a newline, i.e. "\n", not with a comma as seen in Bug 1600556.
The attachment is a Proof of Concept. Here is steps to reproduce:
- Load the attached zip-file as an temporary add-on in about:debugging#/runtime/this-firefox .
- Open the inspection window to watch console messages.
- Access to https://mainichi.jp/ (*)
- ... For safety, this add-on doesn't work for another web site. The web server of mainichi.jp seems to send two Set-Cookie headers always. It's good for testing.
Actual results:
In the console tab, we observe only one Set-Cookie log line. e.g.
Set-Cookie[0]: AWSALB=; Path=/
AWSALBCORS=; Path=/; SameSite=None; Secure
Expected results:
In the console tab, we observe two or more Set-Cookie log lines. e.g.
Set-Cookie[0]: AWSALB=; Path=/
Set-Cookie[1]: AWSALBCORS=; Path=/; SameSite=None; Secure
This is how Microsoft Edge 108.0.1462.54 works.
Comment 1•2 years ago
|
||
Hello,
I reproduced the issue on the latest Release (108.0.1/20221215175817), Beta (109.0b7/20221227225153) and Nightly (110.0a1/20230102165835) under Windows 10 x64 and Ubuntu 16.04 LTS.
Using the attached extension and accessing https://mainichi.jp/ will log a single Set-Cookie line as per the actual results in Comment 0, instead of 2 lines as per the expected results.
For more details, see the attached screenshot.
Comment 2•2 years ago
|
||
Comment 3•2 years ago
|
||
URL that can be used to reproduce: https://httpbin.org/response-headers?Set-Cookie=a&Set-Cookie=b
It sends two Set-Cookie headers (not in a valid format, but from the header perspective in the context of this bug, the validity of the cookie doesn't matter).
I can confirm that the two Set-Cookie headers are separated by a line break. Looks like bug 1608979
Description
•