WWW-Authenticate: Negotiate not working cross-site since FF118
Categories
(Core :: Networking, defect, P1)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr115 | --- | unaffected |
| firefox118 | --- | fixed |
| firefox119 | --- | fixed |
| firefox120 | --- | fixed |
People
(Reporter: David.Gausmann, Assigned: twisniewski)
References
(Regression)
Details
(Keywords: regression, Whiteboard: [necko-triaged])
Attachments
(1 file)
|
48 bytes,
text/x-phabricator-request
|
diannaS
:
approval-mozilla-beta+
pascalc
:
approval-mozilla-release+
|
Details | Review |
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
Steps to reproduce:
In about:config I have negotiate enabled:
network.negotiate-auth.trusted-uris = 127.0.0.1,otherserver.mydomain
My local website http://127.0.0.1 sends a request to https://otherserver.mydomain
The remote website answers with WWW-Authenticate: Negotiate
The request is sent like this from my local website:
let response = await fetch("https://otherserver.mydomain", {
method: "GET",
cache: "no-store",
credentials: "include"
});
Actual results:
Since Firefox 118 no negotiate is done.
Expected results:
In Chrome and until Firefox 117 negotiate is done.
I've already confirmed that the bug was introduced with Firefox 118 by comparing the portable versions of Firefox 117 with Firefox 118.
The same website and the same Firefox configuration (empty profile, just added the configuration above) worked in 117, but doesn't work in 118, if the request was sent cross-site.
When I open the URL manually in a separate tab, negotiate is done. But not cross-site via fetch-API.
|
||
Comment 1•2 years ago
|
||
Would you be willing to use https://mozilla.github.io/mozregression/ to track down exactly what code change caused this?
|
||
Comment 2•2 years ago
|
||
I think this could be a possible duplicate: https://bugzilla.mozilla.org/show_bug.cgi?id=1855417
I can confirm this behaviour
|
Reporter | |
Comment 3•2 years ago
|
||
Here is my bisection result:
2023-09-28T12:31:11.499000: INFO : Narrowed integration regression window from [3cb800b6, bbd42656] (3 builds) to [c01a1256, bbd42656] (2 builds) (~1 steps left)
2023-09-28T12:31:12.838000: DEBUG : Found commit message:
Bug 580353 - do not set Authentication header for CORS-tainted 401 responses; r=valentin,necko-reviewers
Differential Revision: https://phabricator.services.mozilla.com/D186067
2023-09-28T12:31:12.839000: DEBUG : Did not find a branch, checking all integration branches
2023-09-28T12:31:12.841000: INFO : The bisection is done.
2023-09-28T12:31:12.842000: INFO : Stopped
I guess this bug is the culprit. Is this information enough for you?
|
|
||
Updated•2 years ago
|
|
||
Comment 4•2 years ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::Networking' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
|
|
||
Comment 5•2 years ago
|
||
:twisniewski, since you are the author of the regressor, bug 580353, could you take a look? Also, could you set the severity field?
For more information, please visit BugBot documentation.
|
Assignee | |
Comment 6•2 years ago
|
||
Valentin and I aren't sure what's causing this, so the plan is to back the patch out for now until we figure out what we're missing.
|
|
Assignee | |
Comment 7•2 years ago
|
||
|
||
Updated•2 years ago
|
|
|
||
Comment 8•2 years ago
|
||
Set release status flags based on info from the regressing bug 580353
|
||
Updated•2 years ago
|
|
||
Comment 11•2 years ago
|
||
Comment on attachment 9355726 [details]
Bug 1855650 - Back out changeset bbd42656d00d (bug 580353) for causing unexpected breakage; r?valentin
Beta/Release Uplift Approval Request
- User impact if declined: CORS XHR with authentication no longer works.
(In reply to David Gausmann from bug 1855650 comment #0)
Steps to reproduce:
In about:config I have negotiate enabled:
network.negotiate-auth.trusted-uris = 127.0.0.1,otherserver.mydomainMy local website http://127.0.0.1 sends a request to https://otherserver.mydomain
The remote website answers with WWW-Authenticate: NegotiateThe request is sent like this from my local website:
let response = await fetch("https://otherserver.mydomain", {
method: "GET",
cache: "no-store",
credentials: "include"
});
(In reply to laurent.stukkens from bug 1855442 comment #0)
XMLHttpRequest.send() returns a 401 on Basic Auth and the authentication window is not shown.
After send() is called, onreadystatechange is directly called with a readyState of 2, then 3 and finally 4. Previously, onreadystatechange was only called once the authentication window was closed.This was working on v117 and isn't any more on v118.
This is working on Chrome and Edge.
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Simply reverts to previous behaviour.
- String changes made/needed:
- Is Android affected?: Yes
|
||
Comment 12•2 years ago
|
||
| bugherder | ||
|
||
Comment 14•2 years ago
|
||
Comment on attachment 9355726 [details]
Bug 1855650 - Back out changeset bbd42656d00d (bug 580353) for causing unexpected breakage; r?valentin
Approved for 119.0b5
|
||
Comment 15•2 years ago
|
||
| uplift | ||
|
|
||
Updated•2 years ago
|
|
||
Comment 18•2 years ago
|
||
Comment on attachment 9355726 [details]
Bug 1855650 - Back out changeset bbd42656d00d (bug 580353) for causing unexpected breakage; r?valentin
Approved for our next 118 dot release, thanks.
|
|
||
Comment 19•2 years ago
|
||
| uplift | ||
|
|
||
Comment 20•2 years ago
|
||
| bugherder uplift | ||
Description
•