Open Bug 1881271 Opened 8 months ago Updated 7 months ago

CORP error message is not specific enough

Categories

(Core :: Networking: HTTP, enhancement, P2)

Product:
Core
Component:
Networking: HTTP
Version:
Firefox 115
Platform:
Desktop
All
Type:
enhancement

Tracking

()

People

(Reporter: jb-mozilla, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [necko-triaged])

User Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0

Steps to reproduce:

Visit one of my own web pages with the ("JavaScript") console open.
Under the available Firefox implementation (115 ESR), Firefox thinks my CORS headers are wrong and logs that to the console.
As a consequence of the CORS specification evolving, the CORS-related headers needed to support multiple browsers and browser versions are long and complex and thus I would like to know exactly what part of what header caused the error in the tested Fx version.

Actual results:

The error message merely says

"The resource at “(url)” was blocked due to its Cross-Origin-Resource-Policy header (or lack thereof). See https://developer.mozilla.org/docs/Web/HTTP/Cross-Origin_Resource_Policy_(CORP)#"

Which isn't very precise and links only to a general introduction of the CORS concept.

Expected results:

A much more specific error message with values filled in such as

"The resource at “(url1)” from “(url2)” was blocked due to the blocked urls Cross-Origin-Resource-Policy subheader "Content-Security-Policy: foo" not allowing “(Origin value)”"

or

"The resource at “(url1)” from “(url2)” was blocked due to the blocked urls Cross-Origin-Resource-Policy subheader "Content-Security-Policy: foo" missing and thereby not allowing “(Origin value)”"

Where “(url1)”, “(url2)”, foo and “(Origin value)” being the specific items that triggered the error message. Most notably foo would indicate which of the multiple subcategories of the CSP header is responsible, while “(Origin value)” would indicate how “(url2)” was converted into an origin value matched against that subcategory.

Similarly, the error message should also list which other CORS-related headers were directly involved in triggering the error, such as a "Cross-Origin-Embedder-Policy" returned for a specific URL.

I will confirm this report as an enhancement to the error debugging relating to CORS. Properly addressing this issue will be left to the developers responsible for this component. Thank you for your suggestion, Jacob!

Status: UNCONFIRMED → NEW
Component: Untriaged → Networking: HTTP
Ever confirmed: true
OS: Unspecified → All
Product: Firefox → Core
Hardware: Unspecified → Desktop

The CORP status is computed here while the console message is dispatched here.

"The resource at “(url1)” loaded from “(url2)” was blocked due to the Cross-Origin-Resource-Policy subheader being "same-origin" / "same-site" / missing. +URL"
We could also append what the value of the "cross-origin-embedder-policy" is when the corp header is missing.

Blocks: corp, necko-devtools
Severity: -- → S3
Priority: -- → P2
Summary: CORS error message is not specific enough → CORP error message is not specific enough
Whiteboard: [necko-triaged]
You need to log in before you can comment on or make changes to this bug.