1841034 - Ensure `network.cors_preflight.authorization_covered_by_wildcard` can be controlled with an enterprise policy flag

Status: NEW

(Firefox :: Enterprise Policies, task, P2)

Description

[Frederik Braun [:freddy]]

Once we can set the network.cors_preflight.authorization_covered_by_wildcard pref, it is likely that some enterprise setups might break.

We should introduce an enterprise flag, to ensure that deployments can get out of this.

Comment 1

[Mike Kaply [:mkaply]]

You can already set the flag, but I'm curious because you mentioned that other browsers have a named policy for this.

Can you point me to the policy?

In some cases, if something is common between Chrome/Edge/Firefox, we create a policy with the same name instead of making enterprises understand prefs.

Comment 2

[Kershaw Chang [:kershaw]]

(In reply to Mike Kaply [:mkaply] from comment #1)

You can already set the flag, but I'm curious because you mentioned that other browsers have a named policy for this.

Can you point me to the policy?

In some cases, if something is common between Chrome/Edge/Firefox, we create a policy with the same name instead of making enterprises understand prefs.

I think it's CORSNonWildcardRequestHeadersSupport.
Is there anything that necko should do to support this?

Comment 3

[Mike Kaply [:mkaply]]

Nope, nothing that would need to be done by Necko.

We would add a policy named the same that would flip the pref.

Comment 4

[Mike Kaply [:mkaply]]

When do we plan to set this pref?

Comment 5

[Frederik Braun [:freddy]]

I think that's up to the networking team. Redirecting needinfo to Kershaw.

Comment 6

[Kershaw Chang [:kershaw]]

(In reply to Mike Kaply [:mkaply] from comment #4)

When do we plan to set this pref?

We are still discussing a plan with other browsers.
I'll keep this ni and keep you posted. Thanks.

Comment 7

[Kershaw Chang [:kershaw]]

Unfortunately, I haven't heard anything recently.
I'll change the NI to self-NI and keep my eyes on this.