Firefox not sending original Authorization header when fetch follows a redirect to the same origin
Categories
(Core :: DOM: Networking, defect, P2)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr102 | --- | unaffected |
firefox110 | --- | unaffected |
firefox111 | --- | fixed |
firefox112 | --- | fixed |
People
(Reporter: rob, Assigned: smayya)
References
(Regression)
Details
(Keywords: regression, Whiteboard: [necko-triaged], [wptsync upstream])
Attachments
(1 file)
The fix to https://bugzilla.mozilla.org/show_bug.cgi?id=1802086 means that when fetch()
follows a redirection to the same origin as the original request it drops the Authorization
header.
e.g.:
fetch("https://firefox-redirect-issue.wiremockapi.cloud/redirect", {
"headers": {
"Authorization": "Token foo"
}
});
gets a 302
with Location: https://firefox-redirect-issue.wiremockapi.cloud/authorized
which is the same origin (https://firefox-redirect-issue.wiremockapi.cloud) as the original request.
The request to https://firefox-redirect-issue.wiremockapi.cloud/authorized is made without an Authorization
header.
This breaks our website, which relies on a redirect maintaining that header.
For reference this is not an issue on Chrome Version 110.0.5481.100 (Official Build) (arm64) or Safari Version 16.2 (18614.3.7.1.5)
Updated•2 years ago
|
Assignee | ||
Updated•2 years ago
|
Assignee | ||
Updated•2 years ago
|
This is also not an issue in Chrome Version 112.0.5609.0 (Official Build) canary (arm64)
Comment 3•2 years ago
|
||
I think this should have been ReferrerInfo::IsCrossOriginRequest(aNewChannel);
skipAuthHeader = ReferrerInfo::IsCrossOriginRequest(oldHttpChannel);
Assignee | ||
Updated•2 years ago
|
Assignee | ||
Updated•2 years ago
|
I've read the Priority Definitions and the Triage for Bugzilla page; it's not clear to me what "Fix in the next release cycle or the following (nightly + 1 or nightly + 2)". Does that mean it will be fixed in 111.0? Or only in 112.0?
Also not an issue in Safari Release 163 (Safari 16.4, WebKit 18615.1.18.100.1)
Assignee | ||
Comment 6•2 years ago
|
||
We can disable this feature using the following pref:
network.fetch.redirect.stripAuthHeader = false
network.http.redirect.stripAuthHeader = false.
I tested with the above pref and it works.
We will try to provide a fix by this week, else release patch with the above pref to disabled
Assignee | ||
Updated•2 years ago
|
Assignee | ||
Updated•2 years ago
|
Comment 7•2 years ago
|
||
Set release status flags based on info from the regressing bug 1802086
Assignee | ||
Comment 8•2 years ago
•
|
||
I have investigated the problem further.
We are stripping auth headers because we treating the request as cross-origin.
We treat this request as cross-origin due to different schemes for the urls here
Internally we are treating this as navigating from about:newtab
to https://firefox-redirect-issue.wiremockapi.cloud/authorized
Additionally, I observe the same behavior with chrome.
I noticed that if we send the fetch request from console from https://firefox-redirect-issue.wiremockapi.cloud/ we do not have this issue for Firefox and Chrome.
Rob: Could you please confirm how you got it working in Chrome?
I did the following:
- Open new tab in chrome
- Open dev tools and send the fetch request mentioned in the description
I did not get response for the initial request itself. But this was not the case when I load https://firefox-redirect-issue.wiremockapi.cloud/
and send the fetch request
I did the following:
- Navigated to https://example.com
- Opened the developer tools
- Entered the following into the console:
fetch("https://firefox-redirect-issue.wiremockapi.cloud/redirect", {
"headers": {
"Authorization": "Token foo"
}
});
- Opened the Network tab
- Examined the requests and responses - the request to https://firefox-redirect-issue.wiremockapi.cloud/authorized had a request header
Authorization: Token foo
, a response status of 200 and a response bodyRedirect sent Authorization: Token foo
Reporter | ||
Comment 10•2 years ago
|
||
You can see a screen recording here:
https://drive.google.com/file/d/1HZ3A5Jq9L7-XvABrZGhkozRjXsbJ2r2M/view?usp=sharing
Assignee | ||
Comment 11•2 years ago
|
||
Thanks Rob.
Looks like Chrome hasn't implemented this feature yet.
https://bugs.chromium.org/p/chromium/issues/detail?id=1393520
I will check and confirm what should be the expected behavior in this case.
Reporter | ||
Comment 12•2 years ago
|
||
Surely "cross-origin redirects" in this context means a redirect to a different origin to the original request, not just to a different origin to the current page?
I can't see the security issue in repeating an Authorization
header to an origin to which it has already been explicitly sent in the same conversation.
As implemented in Firefox this will break any SPA using Bearer or Token authorization to an API that uses redirects, which is surely thousands of them?
Assignee | ||
Comment 13•2 years ago
|
||
The problem is that the api
ReferrerInfo::IsCrossOriginRequest(channel)
compares channel uri (https://firefox-redirect-issue.wiremockapi.cloud/authorized) with the loading principal uri(example.com). Hence, we treat this request as cross-origin.
I replaced with nsContentUtils::GetSecurityManager()->CheckSameOriginURI
to determine if the request was cross-origin and it fixed our problem.
I will run few more tests and check with the security team about its implications.
Assignee | ||
Comment 14•2 years ago
|
||
Updated•2 years ago
|
Updated•2 years ago
|
Updated•2 years ago
|
Comment 15•2 years ago
|
||
Pushed by valentin.gosu@gmail.com: https://hg.mozilla.org/integration/autoland/rev/daf70dc1a75a replace ReferrerInfo::IsCrossOriginRequest with nsScriptSecurityManager::CheckSameOriginURI for determining cross-origin redirects. r=necko-reviewers,valentin
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/38739 for changes under testing/web-platform/tests
Comment 17•2 years ago
|
||
bugherder |
Upstream PR merged by moz-wptsync-bot
Assignee | ||
Comment 19•2 years ago
•
|
||
Comment on attachment 9319643 [details]
Bug 1817980 - replace ReferrerInfo::IsCrossOriginRequest with nsScriptSecurityManager::CheckSameOriginURI for determining cross-origin redirects. r=#necko,valentin,smaug
Beta/Release Uplift Approval Request
- User impact if declined: This will break any SPA using Bearer or Token authorization to an API that uses redirects.
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): The change modifies an existing check for determination if the redirection is cross origin or not for stripping the authentication header.
The feature in general has a pref to disable the behavior - String changes made/needed:
- Is Android affected?: Yes
Assignee | ||
Updated•2 years ago
|
Comment 20•2 years ago
|
||
Comment on attachment 9319643 [details]
Bug 1817980 - replace ReferrerInfo::IsCrossOriginRequest with nsScriptSecurityManager::CheckSameOriginURI for determining cross-origin redirects. r=#necko,valentin,smaug
Approved for 111.0b8
Comment 21•2 years ago
|
||
bugherder uplift |
Description
•