Open Bug 1965826 Opened 11 months ago Updated 9 months ago

Unauthenticated request triggered by “Debugger” tab in Firefox DevTools causes unexpected behaviour in authenticated sessions

Categories

(DevTools :: Debugger, defect, P3)

Product:
DevTools
Component:
Debugger
Type:
defect

Tracking

(Not tracked)

People

(Reporter: gabrivgoytia, Unassigned)

References

(Depends on 1 open bug)

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36

Steps to reproduce:

Version:
Developer Edition 139.0b6

Open Firefox Developer Edition and start a web application that requires user authentication.

Log into the application using valid credentials.

Navigate to a protected page or feature (i.e. an endpoint only accessible after authentication).

Open DevTools (F12 or right-click > Inspect).

Click on the “Debugger” tab.

Actual results:

Firefox Developer Edition automatically triggered an unauthenticated GET request to the current page.

This request did not include session credentials and was treated as anonymous by the server.

As a result, the server returned an error (e.g. HTTP 401, 403, or 500 depending on configuration).

The request was not initiated by the user, yet it appeared in server logs and interfered with tools that trace or replay HTTP traffic.

The request was not consistently shown in the “Network” tab of DevTools, making it harder to trace.

The behaviour is not present in Chrome or Edge.

Expected results:

The “Debugger” tab should not trigger automatic network requests to authenticated pages.

If such requests are needed internally, they should respect the current user’s session or avoid hitting the application backend altogether.

User interactions should not be altered or polluted by DevTools activity.

The Bugbug bot thinks this bug should belong to the 'DevTools::Debugger' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → Debugger
Product: Firefox → DevTools
Version: other → unspecified

We usually try to reuse the cache / available sources as much as possible but in some cases we resort to perform a request to get the source text.
Are you using source maps in this example? Because if not, even if we do a request, it should normally be using the right authentication. Although you might be impacted by the same issue as Bug 1699418

Severity: -- → S3
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(gabrivgoytia)
Priority: -- → P3
See Also: → 1699418
Depends on: 1966334

Clear a needinfo that is pending on an inactive user.

Inactive users most likely will not respond; if the missing information is essential and cannot be collected another way, the bug maybe should be closed as INCOMPLETE.

For more information, please visit BugBot documentation.

Flags: needinfo?(gabrivgoytia)
You need to log in before you can comment on or make changes to this bug.