Closed Bug 1887869 Opened 8 months ago Closed 5 months ago

declarativeNetRequest.updateSessionRules doesn't work with local file

Categories

(WebExtensions :: Untriaged, defect, P3)

Product:
WebExtensions
Component:
Untriaged
Version:
Firefox 124
Type:
defect

Tracking

(firefox124 wontfix, firefox125 wontfix, firefox126 wontfix, firefox129 verified)

Status:
VERIFIED FIXED
Milestone:
129 Branch
Tracking Flags:
Tracking Status
firefox124 --- wontfix
firefox125 --- wontfix
firefox126 --- wontfix
firefox129 --- verified

People

(Reporter: regseb, Assigned: robwu)

References

Details

(Whiteboard: [addons-jira])

Attachments

(1 file)

Bug 1887869 - Allow DNR to modify requests initiated from file:
48 bytes, text/x-phabricator-request
Details | Review

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:124.0) Gecko/20100101 Firefox/124.0

Steps to reproduce:

  1. Create a directory with:

  • manifest.json

    {
  "manifest_version": 2,
  "name": "Test case",
  "version": "1.0.0",
  "background": {
    "page": "page.html",
    "persistent": true
  },
  "permissions": [
    "<all_urls>",
    "file:///*",
    "declarativeNetRequest"
  ]
}

  • page.html

    <!doctype html>
<html>
  <head>
    <meta charset="utf-8" />
    <title>Test case</title>
  </head>
  <body>
    <script src="script.js" type="module"></script>
  </body>
</html>

  • script.js

    await browser.declarativeNetRequest.updateSessionRules({
addRules: [
  {
    action: {
      type: "modifyHeaders",
        requestHeaders: [
          {
            header: "X-Foo",
            value: "bar",
            operation: "set",
          },
        ],
      },
      condition: {
        resourceTypes: ["main_frame", "xmlhttprequest"],
        urlFilter: "httpbin",
      },
      id: 1,
    },
  ],
});
  1. Load Temporary Add-on
  2. Go to http://perdu.com/ (any http page)
  3. Open DevTools
  4. Execute console.log(await (await fetch("https://httpbin.org/headers")).json());
  5. See header X-Foo
  6. Open a local file (file://home/regseb/baz.html)
  7. Open DevTools
  8. Execute console.log(await (await fetch("https://httpbin.org/headers")).json());

Actual results:

The header X-Foo aren't added when request from local file.

Expected results:

The header X-Foo should be added when request from local file.

It works in Chromium with the following extension:

  • manifest.json

    {
  "manifest_version": 3,
  "name": "Test case",
  "version": "1.0.0",
  "background": {
    "service_worker": "script.js"
  },
  "host_permissions": [
    "<all_urls>",
    "file:///*"
  ],
  "permissions": [
    "declarativeNetRequest"
  ]
}

  • script.js

    (async () => {
  await chrome.declarativeNetRequest.updateSessionRules({
    addRules: [
      {
        action: {
          type: "modifyHeaders",
          requestHeaders: [
            {
              header: "X-Foo",
              value: "bar",
              operation: "set",
            },
          ],
        },
        condition: {
          resourceTypes: ["main_frame", "xmlhttprequest"],
          urlFilter: "httpbin",
        },
        id: 1,
      },
    ],
    removeRuleIds: [1],
  });
})();
Product: Firefox → WebExtensions

Hello,

I reproduced the issue on the latest Nightly (126.0a1/20240327214448), Beta (125.0b5/20240327092250) and Release (124.0.1/20240321230221) under Windows 10 x64 and Ubuntu 22.04 LTS.

For http://perdu.com/ there is a X-Foo header shown in the console, while for a local file the X-Foo header is not added.

Status: UNCONFIRMED → NEW
status-firefox124: --- → affected
status-firefox125: --- → affected
status-firefox126: --- → affected
Ever confirmed: true

The severity field is not set for this bug.
:zombie, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(tomica)
Flags: needinfo?(tomica) → needinfo?(rob)

I attempted to debug the difference between the fetch requests issued on a web origin and on a file:/// URL and was able to narrow it down to the policy.canAccessURI(this.initiatorURI) call in RequestDetails.canExtensionModify1. At that point it appears to hit a JavaScript/C++ boundary. I believe WebExtensionPolicyCore::CanAccessURI2 is on the other side, but I couldn't validate that as I'm not currently set up to debug the native side of Firefox.

Severity: -- → S3
Priority: -- → P3

This is similar to bug 1621935 but for DNR.

The reason for the existence of the bug is that the JS-exposed canAccessURI method takes at most 4 parameters, while the ability to control file access is governed by the C++-only fourth parameter, added in https://searchfox.org/mozilla-central/commit/e84d5c8831b70213dabdaf1b3c0800f4064cd63e.

Assignee: nobody → rob
Status: NEW → ASSIGNED
Flags: needinfo?(rob)
See Also: → 1621935
Whiteboard: [addons-jira]
Pushed by rob@robwu.nl: https://hg.mozilla.org/integration/autoland/rev/546c49bc415a Allow DNR to modify requests initiated from file: r=zombie

https://hg.mozilla.org/mozilla-central/rev/546c49bc415a

Status: ASSIGNED → RESOLVED
Closed: 5 months ago
status-firefox129: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 129 Branch

Verified as Fixed. Tested on the latest Nightly (129.0a1/20240630213947) under Windows 10 and Ubuntu 22.04 LTS.

The X-Foo header is now added for local files as well, confirming the fix.

Status: RESOLVED → VERIFIED
status-firefox129: fixedverified
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: