Open Bug 1828376 Opened 3 years ago Updated 2 years ago

Source map error: Error: NetworkError when attempting to fetch resource.

Categories

(DevTools :: Debugger, defect, P3)

Product:
DevTools
Component:
Debugger
Type:
defect

Tracking

(firefox-esr102 unaffected, firefox112 wontfix, firefox113 wontfix, firefox114 wontfix, firefox115 wontfix, firefox116 wontfix, firefox117 wontfix)

Tracking Flags:
Tracking Status
firefox-esr102 --- unaffected
firefox112 --- wontfix
firefox113 --- wontfix
firefox114 --- wontfix
firefox115 --- wontfix
firefox116 --- wontfix
firefox117 --- wontfix

People

(Reporter: xidorn, Assigned: bomsy)

References

(Regression)

Details

(Keywords: regression)

Attachments

(1 file)

Bug 1828376 - [devtools] Adds user setting to enable sourcemap redirects for current domain r=#devtools-reviewers
48 bytes, text/x-phabricator-request
Details | Review

Thank you for helping make Firefox better. If you are reporting a defect, please complete the following:

What were you doing?

Please tell us what site you were on, and what steps led to the error you are reporting

It's on canva.com, we use a mechanism to gate access to sourcemap files.

For example, https://static.canva.com/web/d9f9dab377d49414.js has sourcemap file being https://static.canva.com/web/sourcemaps/d9f9dab377d49414.js.map. If the cookie is set to CDM=true, it is redirected to an internal address (https://sourcemaps.canva-internal.com/d9f9dab377d49414.js.map) which requires authorization, otherwise it returns an empty sourcemap to suppress console warnings.

What happened?

What, if any, error messages did you see? Did the browser crash? Screenshots or screen recordings can be attached to this report and are helpful in isolating and replicating the bug.

With the cookie set and authorization done, it shows

Source map error: Error: NetworkError when attempting to fetch resource.

for sourcemap files.

What should have happened?

Was was the expected result? ("Not crashing" may be a valid answer.)

It should correctly fetch the sourcemap files. While it is not possible for you to verify that, it should at least start requesting the internal address with proper cookies.

Anything else we should know?

Do you have extensions installed? You can also go to about:support in another window or tab and attach the report it generates to this bug.

I did mozregression, and the range is https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=8fc7ac6810cc979a8efe17521bb87be60c41685f&tochange=1320da462737565e077c7b2968695deb53d29800 so it's a regression from bug 1790542. From the commit message it is very clear what is going wrong, but the bug itself is restricted.

Keywords: regression
Regressed by: CVE-2023-29540

Set release status flags based on info from the regressing bug 1790542

:bomsy, since you are the author of the regressor, bug 1790542, could you take a look? Also, could you set the severity field?

For more information, please visit auto_nag documentation.

status-firefox112: --- → affected
status-firefox113: --- → affected
status-firefox114: --- → affected
status-firefox-esr102: --- → unaffected
Flags: needinfo?(hmanilla)
Assignee: nobody → hmanilla
Flags: needinfo?(hmanilla)

So we disabled source-map redirects due to potential of security issues. The current sourcemap implementation is on the client side which limits the control over redirects.

  1. One solution to handle this would be to move source-map to the server side, but that's a bit of work.
  2. Or maybe we could put source-map redirects behind a flag so it can be switched on with users understanding the risk.

Option 2 can be a quick easy fix for the short term.

While option 2 can be a quick easy fix, it would likely expose users to the security issues forever, because mostly likely users would forget to reset it.

If we are going option 2 for now, it might be better to make it an allowlist instead, that user can put specific domains that they trust to enable the redirection. WDYT?

While option 2 can be a quick easy fix, it would likely expose users to the security issues forever, because mostly likely users would forget to reset it.

Good point i was thinking a setting that does not persist when the devtools closes

If we are going option 2 for now, it might be better to make it an allowlist instead, that user can put specific domains that they trust to enable the redirection. WDYT?

But i think i might like this better.

Whiteboard: [devtools-triage]
Severity: -- → S3
Priority: -- → P3

So after a chat with the team, the consensus was that, for a short term solution:-

  1. Lets have a setting that is exposed in devtools, which would allow the user turn on / off redirects for sourcemaps. (With some info notifying the user about the risk). It would be limited to the current session and would not be persisted.
  2. Show the redirect errors (which are currently only shown in console panel) in the debugger.

Thanks

  1. Lets have a setting that is exposed in devtools, which would allow the user turn on / off redirects for sourcemaps. (With some info notifying the user about the risk)

What scope would it apply to? What's the life time of the setting?

What scope would it apply to? What's the life time of the setting?

Ah right forgot, to add that. It would be limited to the current session and would not be persisted.

Ah right forgot, to add that. It would be limited to the current session and would not be persisted.

Does current session mean the current tab (until the tab closes) or the current browser session (until the browser quits)?

(In reply to Xidorn Quan [:xidorn] UTC+11 from comment #8)

Does current session mean the current tab (until the tab closes) or the current browser session (until the browser quits)?

I mean the current browser session for now. Further there can be the discussion around if we want to restrict it to the current tab (which means the user will have to enable after navigation).

(In reply to Hubert Boma Manilla (:bomsy) from comment #9)

I mean the current browser session for now. Further there can be the discussion around if we want to restrict it to the current tab (which means the user will have to enable after navigation).

It would be better if it doesn't require setting after each navigation, or at least not when the origin or URL doesn't change, otherwise it would still be impossible to handle the case mentioned in comment 0 because devtools would fail to load the sourcemaps at the beginning.

I'm also concerned that enabling for the whole browser session could expose developers to the exact risk you are trying to fix, especially given that many developers may keep the browser open for very long, and use it for many websites. I have a feeling that it may not really be better than having a single persisted setting to enable it all the time, as long as we stop respecting such setting when the proper long term fix is implemented.

Could we enable it only for the DevTools session where it was activated? So it would only apply to one tab, and would go away when DevTools are closed (or when the tab closes).
Technically that should be doable, and not too unexpected from the user's point of view?

We agreed to have a persisted setting which would enable redirects for sourcemaps for a given domain.

Whiteboard: [devtools-triage]

any progress on a decision here for 116?

status-firefox114: fix-optionalwontfix
status-firefox115: affectedwontfix
Flags: needinfo?(hmanilla)

I think we should be able to fix for 116.

Flags: needinfo?(hmanilla)
Attachment #9340925 - Attachment description: WIP: Bug 1828376 - [devtools] Adds user setting to enable sourcemap redirects for current domain → Bug 1828376 - [devtools] Adds user setting to enable sourcemap redirects for current domain r=#devtools-reviewers
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: