Open
Bug 1891715
Opened 1 year ago
Updated 1 year ago
Incorrect behavior for multiple headers (CORP, COOP, AC-*, COEP)
Categories
(Core :: DOM: Networking, defect, P2)
Tracking
()
UNCONFIRMED
People
(Reporter: jannis, Unassigned)
References
Details
(Whiteboard: [necko-triaged][necko-priority-next])
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0) Gecko/20100101 Firefox/124.0
Steps to reproduce:
-Visit a site with two headers of the same type:
headerX:
headerX: value
- Observe how the browser interprets the received values
- CORP: http://sub.headers.websec.saarland/_hp/tests/subresource-loading-corp.sub.html?resp_type=parsing&browser_id=1&label=CORP&first_id=18959&last_id=18968&scheme=http&t_resp_id=18968&t_element_relation=img_direct&t_resp_origin=https://headers.webappsec.eu
- COOP: http://sub.headers.websec.saarland/_hp/tests/window-references-coop.sub.html?resp_type=parsing&browser_id=1&label=COOP&first_id=24253&last_id=24253&scheme=http&t_resp_id=24253&t_element_relation=direct_direct&t_resp_origin=https://headers.webappsec.eu
- CORS (ACAO, but same behavior for all of them): http://sub.headers.websec.saarland/_hp/tests/fetch-cors.sub.html?resp_type=parsing&browser_id=1&label=CORS-ACAO&first_id=10005&last_id=10009&scheme=http&t_resp_id=10008&t_element_relation=GET_simple&t_resp_origin=https://headers.webappsec.eu
- COEP: https://sub.headers.websec.saarland/_hp/tests/subresource-loading-coep.sub.html?resp_type=parsing&browser_id=1&label=COEP&first_id=21586&last_id=21590&scheme=https&t_resp_id=21589&t_element_relation=img_direct&t_resp_origin=https://headers.webappsec.eu
Actual results:
- CORP: is active, load fails -> error
- COOP: is active, window.open.opener: null
- CORS/ACAO: success, access to response possible
- COEP: is active, all resources except the one with CORP: cross-origin fail to load
Expected results:
Duplicate headers are "forbidden"/the combined value ("<value>,") is not valid and thus the header has no effect.
Safari and Chromium do not apply CORP, COOP, ACAO, and COEP in the above examples in contrast to Firefox.
- CORP: uses 'get, decode, and split' (https://fetch.spec.whatwg.org/#concept-header-list-get-decode-split) the resulting value 'same-origin,' should not be valid
- COOP: is a structured header, 'get a structured field value' should fail here (https://fetch.spec.whatwg.org/#concept-header-list-get-structured-header)
- CORS/ACAO: also uses 'get, decode, and split'?
- COEP: is a structured header, parsing should fail
Other headers might be affected as well.
|
||
Updated•1 year ago
|
Severity: -- → S3
Priority: -- → P2
Whiteboard: [necko-triaged][necko-priority-next]
Seems like the "same" issue was fixed previously for XCTO: https://bugzilla.mozilla.org/show_bug.cgi?id=1819642
|
||
Updated•1 year ago
|
Rank: 3
You need to log in
before you can comment on or make changes to this bug.
Description
•