Closed Bug 1808069 Opened 2 years ago Closed 2 years ago

webRequest.onHeadersReceived: Multiple Set-Cookie headers are merged into one with newline separator

Categories

(WebExtensions :: Request Handling, defect, P3)

Product:
WebExtensions
Component:
Request Handling
Version:
Firefox 108
Type:
defect

Tracking

(firefox108 affected, firefox109 affected, firefox110 affected)

Status:
RESOLVED DUPLICATE of bug 1608979
Tracking Flags:
Tracking Status
firefox108 --- affected
firefox109 --- affected
firefox110 --- affected

People

(Reporter: sagawa.aki+moz, Unassigned)

Details

Attachments

(2 files)

cheap cookie logger for mainichi.jp
753 bytes, application/x-zip-compressed
Details
2023-01-03_10h48_19.png
27.33 KB, image/png
Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0

Steps to reproduce:

I noticed a certain ad-blocker add-on doesn't filter Set-Cookie header properly. Debugging the issue, I found multiple Set-Cookie headers are merged into one in Firefox and they aren't in Edge. Bug 1600556 is slightly similar to this case. However, Set-Cookie values are concatenated with a newline, i.e. "\n", not with a comma as seen in Bug 1600556.

The attachment is a Proof of Concept. Here is steps to reproduce:

  1. Load the attached zip-file as an temporary add-on in about:debugging#/runtime/this-firefox .
  2. Open the inspection window to watch console messages.
  3. Access to https://mainichi.jp/ (*)
  • ... For safety, this add-on doesn't work for another web site. The web server of mainichi.jp seems to send two Set-Cookie headers always. It's good for testing.

Actual results:

In the console tab, we observe only one Set-Cookie log line. e.g.

Set-Cookie[0]: AWSALB=; Path=/
AWSALBCORS=; Path=/; SameSite=None; Secure

Expected results:

In the console tab, we observe two or more Set-Cookie log lines. e.g.

Set-Cookie[0]: AWSALB=; Path=/
Set-Cookie[1]: AWSALBCORS=; Path=/; SameSite=None; Secure

This is how Microsoft Edge 108.0.1462.54 works.

Hello,

I reproduced the issue on the latest Release (108.0.1/20221215175817), Beta (109.0b7/20221227225153) and Nightly (110.0a1/20230102165835) under Windows 10 x64 and Ubuntu 16.04 LTS.

Using the attached extension and accessing https://mainichi.jp/ will log a single Set-Cookie line as per the actual results in Comment 0, instead of 2 lines as per the expected results.

For more details, see the attached screenshot.

Status: UNCONFIRMED → NEW
status-firefox108: --- → affected
status-firefox109: --- → affected
status-firefox110: --- → affected
Ever confirmed: true
Attached image 2023-01-03_10h48_19.png

URL that can be used to reproduce: https://httpbin.org/response-headers?Set-Cookie=a&Set-Cookie=b
It sends two Set-Cookie headers (not in a valid format, but from the header perspective in the context of this bug, the validity of the cookie doesn't matter).

I can confirm that the two Set-Cookie headers are separated by a line break. Looks like bug 1608979

Severity: -- → S4
Status: NEW → RESOLVED
Closed: 2 years ago
Component: Compatibility → Request Handling
Duplicate of bug: 1608979
Priority: -- → P3
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: