Local script override breaks CORS
Categories
(DevTools :: Debugger, defect, P2)
Tracking
(firefox130 fixed)
| Tracking | Status | |
|---|---|---|
| firefox130 | --- | fixed |
People
(Reporter: denschub, Assigned: jdescottes)
References
(Blocks 1 open bug)
Details
Attachments
(3 files)
STR:
- Open this testcase
- Observe that the body contains a "hello, world!" message
- Open the JS Debugger, search the
https://samestuff.overengineer.dev/mozilla/testcases/devtools-script-override-cors/main.jsscript in the sidebar, add a script override - Save the file without any changes
- Reload
Expected:
The testcase should still work fine.
Actual:
JS fails. In the console, you can see
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at data:application/x-javascript;base64,[...]. (Reason: CORS request not http).
Additional context:
The script is loaded with a <script> tag that enforces CORS:
<script src="..." crossorigin="anonymous"></script>
This is a bit odd, but apparently not uncommon. This specific issue came up while debugging a compat issue on Microsoft OneDrive, where they're using RequireJS with a custom config that essentially does
requirejs.config({
baseUrl: "https://res-1.cdn.office.net/files/odsp-web-prod_2023-05-12.001/",
onNodeCreated: function (node, c, moduleName, url) {
const corsMatch = new RegExp(/* RegExp that checks if the URL is on the CDN */);
if (corsMatch.test(url)) {
node.setAttribute("crossorigin", "anonymous");
}
},
});
so the crossorigin attribute is added to the CDN-based script tags.
|
Reporter | |
Comment 1•1 years ago
|
||
I'm attaching the testcase for posterity, but keep in mind that the JS file needs to be a request with accurate CORS headers.
|
||
Comment 2•1 years ago
|
||
We most like have to tweak this code:
https://searchfox.org/mozilla-central/rev/a4fd6daad3a4123d995478467c1274653b283801/netwerk/protocol/http/nsCORSListenerProxy.cpp#572-588
to prevent throwing CORS exception when loadInfo->GetAllowInsecureRedirectToDataURI().
I'll give this a try.
|
|
||
Comment 3•1 years ago
|
||
|
||
Updated•1 years ago
|
|
|
||
Comment 4•1 years ago
|
||
Testing against comment 0, this patch fixes the issue.
Unfortunately, I'm not able to cover this via a test easily :(
For some reason I'm not able to allow this CORS request.
I tried putting Access-Control-Allow-Origin: * header on html and JS requests... and use crossorigin=anonymous attribute on script, but it doesn't work and I end up with the following errors (which aren't related to override):
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://plop.example.com/browser/devtools/shared/network-observer/test/browser/sjs_network-observer-test-server.sjs?sts=200&fmt=js. (Reason: CORS request did not succeed). Status code: (null)."]
Warning: "<script> source URI is not allowed in this document: “https://plop.example.com/browser/devtools/shared/network-observer/test/browser/sjs_network-observer-test-server.sjs?sts=200&fmt=js”." {file: "https://example.com/browser/devtools/shared/network-observer/test/browser/doc_network-observer.html" line: 1}]
The html page is from example.com, whereas the JS is from plop.example.com.
Any idea what could be wrong here?
|
Assignee | |
Updated•1 years ago
|
|
|
Assignee | |
Comment 6•4 months ago
•
|
||
After testing with the patches from Bug 1904870, I'm at the same point as comment 4, meaning the patches fix the STRs but don't work with the mochitest being added in the patch from Alex. Will investigate.
Edit: Found it, it's just because we were not accepting the CORS URL in the observer in the test.
|
|
Assignee | |
Comment 7•4 months ago
|
||
Depends on D217030
|
||
Comment 9•4 months ago
|
||
| bugherder | ||
|
|
Assignee | |
Updated•3 months ago
|
|
||
Updated•3 months ago
|
|
||
Comment 10•3 months ago
|
||
Reproduced the issue with Firefox115.0a1 (2023-05-24) on macOS 14.
The issue is verified fixed with Firefox 131.0a1 (20240807215007) and Firefox 130.0b2 (20240807091924) onWindows 10, macOS 14 and Ubuntu 22.
Description
•