Reject invalid cookies in the webExt cookie API - nightly only
Categories
(WebExtensions :: General, task)
Tracking
(firefox142 fixed)
| Tracking | Status | |
|---|---|---|
| firefox142 | --- | fixed |
People
(Reporter: baku, Assigned: baku)
References
(Blocks 1 open bug)
Details
(Keywords: dev-doc-complete, Whiteboard: [addons-jira])
Attachments
(1 file)
The webExt.cookies API is currently the only entry point where we allow invalid cookies, as nsICookieValidation is not enforced.
This bug aims to enable cookie validation in Nightly only, to monitor the level of breakage it may cause.
If the level of breakage is acceptable, in a few cycles, we will enable the validation in all the channels.
|
Assignee | |
Updated•2 months ago
|
|
||
Updated•2 months ago
|
|
|
Assignee | |
Comment 1•2 months ago
|
||
|
||
Comment 2•2 months ago
|
||
The validation landed in 141, off-by-default in https://hg-edge.mozilla.org/mozilla-central/rev/aa54edb433a0
back then the use of invalid cookie values resulted in the following message being logged in the console:
Extension [extension id] tried to create an invalid cookie: [error message]
With the patch here, this validation becomes enabled by default, and browser.cookies.set() will reject when an invalid value is encountered.
Ideally, we should only enable this by default if all cookies that an extension can observe through the cookies API are also valid. Bug 1974987 is still open, which suggests that it is possible for the cookies DB to return invalid cookies. Are there other unaccounted cases that still need a migration?
|
|
Assignee | |
Comment 3•2 months ago
|
||
Ideally, we should only enable this by default if all cookies that an extension can observe through the cookies API are also valid. Bug 1974987 is still open, which suggests that it is possible for the cookies DB to return invalid cookies. Are there other unaccounted cases that still need a migration?
Telemetry says that the majority of cookie errors from DB are:
- eRejectedNoneRequiresSecure: 1.21% - Migration done (bug 1973651)
- eRejectedAttributeExpiryOversize: 0.00% - Migration in review (Bug 1974987)
- eRejectedEmptyNameAndValue: 0.00% - Migration in review (Bug 1974987)
- eRejectedInvalidCharValue: 0.00% - Migration in review (Bug 1974987)
- eRejectedInvalidCharName: 0.00% - Migration in review (Bug 1974987)
- eRejectedNameValueOversize: 0.00% - not included. Too low.
Query: https://sql.telemetry.mozilla.org/queries/109167/source
As soon as we land bug 1974987, we will be ready to proceed.
|
|
Assignee | |
Updated•2 months ago
|
|
|
||
Comment 4•2 months ago
|
||
(moving to WebExtensions::General since this change only affects extension API behavior)
Backed out for causing mochitest failures @ test_ext_cookies.html
|
|
Assignee | |
Updated•2 months ago
|
|
||
Comment 9•2 months ago
|
||
| bugherder | ||
|
||
Comment 10•1 month ago
|
||
Release note added in Bug 1976197 Reject invalid cookies in the webExt cookie API in nightly only #40351
Description
•