Closed
Bug 761479
Opened 12 years ago
Closed 12 years ago
XMLHttpRequest with mozAnon=true should still send explicitly passed username + password
Categories
(Core :: Security, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla19
People
(Reporter: philikon, Assigned: mayhemer)
References
Details
(Whiteboard: [WebAPI:P3][LOE:M])
Attachments
(1 file, 3 obsolete files)
12.00 KB,
patch
|
Biesinger
:
review+
mayhemer
:
checkin+
|
Details | Diff | Splinter Review |
In bug 692677 we added the mozAnon flag to XHR which tells the User Agent not to pass cookies and other auth information along with the request. We use the nsIRequest::LOAD_ANONYMOUS flag for that. However, an explicit username and password as passed into the xhr.open() method isn't sent along either, but it really should.
Comment 1•12 years ago
|
||
This is going to be very important for all the protocols the email/calendar app intend to use with this api.
Updated•12 years ago
|
blocking-basecamp: --- → +
blocking-kilimanjaro: --- → +
Reporter | ||
Comment 2•12 years ago
|
||
Alright, I think I finally have a grasp of what's going on: (1) The username, password parameters are equivalent to using http://username:password/... in the URI, as is evident from nsXMLHttpRequest::Open(): https://mxr.mozilla.org/mozilla-central/source/content/base/src/nsXMLHttpRequest.cpp#1888 (2) The URI credentials are used in nsHttpChannelAuthProvider::SetAuthorizationHeader(): https://mxr.mozilla.org/mozilla-central/source/netwerk/protocol/http/nsHttpChannelAuthProvider.cpp#1199 (3) However, that is skipped if the channel has the nsIRequest::LOAD_ANONYMOUS load flag set: https://mxr.mozilla.org/mozilla-central/source/netwerk/protocol/http/nsHttpChannelAuthProvider.cpp#176 While I don't feel inclined to mess with Necko too much, it seems error-prone to manually set the 'Authorization' header in nsXMLHttpRequest or something like that. My suggestion would be to invent a new flag, e.g. nsIRequest::LOAD_ANONYMOUS_WITH_URI_IDENTITY that we can check for in nsHttpChannelAuthProvider::AddAuthorizationHeaders(). Thoughts?
Assignee: nobody → philipp
Reporter | ||
Comment 3•12 years ago
|
||
CCing bz for some guidance.
Comment 4•12 years ago
|
||
What's the actual desired behavior here? Why are we trying to send some kinds of authentication information but not others?
Reporter | ||
Comment 5•12 years ago
|
||
(In reply to Boris Zbarsky (:bz) from comment #4) > What's the actual desired behavior here? Why are we trying to send some > kinds of authentication information but not others? Basically, yes. The behaviour that we expect (Sicking and I, at least) would be that for the following request xhr = new XmlHttpRequest({mozAnon: true}); xhr.open("GET", url, true, username, password) the server would still receive the explicitly passed username and password values, whereas any username + password values from the auth cache as well as cookies would not be sent along.
Comment 6•12 years ago
|
||
Would user certificates be sent? What about other authentication mechanisms that XHR doesn't really expose at the moment but might in the future?
Reporter | ||
Comment 7•12 years ago
|
||
(In reply to Boris Zbarsky (:bz) from comment #6) > Would user certificates be sent? I would not expect them to be sent. But I do not know whether they will. I should check and maybe also write a unit test for this. > What about other authentication mechanisms > that XHR doesn't really expose at the moment but might in the future? If they're explicitly set on the XHR, I would expect them to be sent. AFAIUI, mozAnon = true tells the User Agent something like "don't add anything *you* know about this host from previous encounters, but let *me* add stuff explicitly".
Comment 8•12 years ago
|
||
Yeah, then it seems like we need a new request flag value to indicate that...
Comment 9•12 years ago
|
||
How are we doing here?
Updated•12 years ago
|
Priority: -- → P1
Updated•12 years ago
|
Whiteboard: [WebAPI:P3]
Reporter | ||
Updated•12 years ago
|
Whiteboard: [WebAPI:P3] → [WebAPI:P3][LOE:M]
Updated•12 years ago
|
Assignee: philipp → amarchesini
Removing this as a blocker. If someone thinks it should be a blocker, please let me know exactly how we are planning on using this in a v1 app. As far as I can tell we wouldn't be using this for the email app since it's not using XHR at all. And I'm not aware that calendar stuff is commonly behind http-auth based security.
blocking-basecamp: + → -
Comment 11•12 years ago
|
||
I don't know if this is the right way to fix it.
Attachment #661767 -
Flags: review?(bzbarsky)
Comment 12•12 years ago
|
||
Comment on attachment 661767 [details] [diff] [review] patch 1 This is so not my thing. Let's try Honza, I guess?
Attachment #661767 -
Flags: review?(bzbarsky) → review?(honzab.moz)
Assignee | ||
Comment 13•12 years ago
|
||
Comment on attachment 661767 [details] [diff] [review] patch 1 This is a first sight feedback only: - nsHttpChannelAuthProvider::GetCredentialsFromURI duplicates some code we already have - this probably won't work for NTLM or any state-full auth scheme I'll do a proper review, latest the next week. If you have a new version of the patch, please don't obsolete this one (it would kill my splinter comments). Thanks.
Assignee | ||
Comment 14•12 years ago
|
||
How urgent is this bug to get fixed?
Assignee | ||
Comment 15•12 years ago
|
||
A bit different approach. Basic tests are passing but this one needs a new, more specific test yet.
Comment 16•12 years ago
|
||
can you use the mochitest from my patch?
Assignee | ||
Comment 17•12 years ago
|
||
(In reply to Andrea Marchesini (:baku) from comment #16) > can you use the mochitest from my patch? I did, my patch didn't pass (got stuck on a prompt). I'll look after the cause.
Assignee | ||
Comment 18•12 years ago
|
||
(In reply to Honza Bambas (:mayhemer) from comment #17) > (In reply to Andrea Marchesini (:baku) from comment #16) > > can you use the mochitest from my patch? > > I did, my patch didn't pass (got stuck on a prompt). I'll look after the > cause. So, I retried and now it passes (maybe it was just a rebuild problem). I pushed the patch to try as well along with patch for bug 776171: https://tbpl.mozilla.org/?tree=Try&rev=3c489d152066 We'll see..
Assignee | ||
Comment 19•12 years ago
|
||
- check for the ANON flag moved down to nsHttpChannelAuthProvider::GetCredentialsForChallenge - includes a test from Andrea that I r+'ed
Assignee: amarchesini → honzab.moz
Attachment #661767 -
Attachment is obsolete: true
Attachment #667192 -
Attachment is obsolete: true
Status: NEW → ASSIGNED
Attachment #661767 -
Flags: review?(honzab.moz)
Attachment #669529 -
Flags: review?(cbiesinger)
Assignee | ||
Comment 20•12 years ago
|
||
Comment on attachment 669529 [details] [diff] [review] v2 + test by Andrea Marchesini r=honzab for the test parts.
Attachment #669529 -
Flags: review+
Assignee | ||
Comment 21•12 years ago
|
||
Try passes. https://tbpl.mozilla.org/?tree=Try&rev=04b88dc7eba1
Updated•12 years ago
|
Attachment #669529 -
Flags: review?(cbiesinger) → review+
Assignee | ||
Comment 22•12 years ago
|
||
I found an issue with my patch. When there are cached credentials with the same username but different password then those are prioritized over the credentials in the URL. When LOAD_ANONYMOUS is set we have to bypass this cache override to prevent leak. Though, we still need to use cache here to make state-full schemes work (NTLM and Digest). This is an updated patch, changes: - the "taking identity from auth cache" block is not executed also when LOAD_ANONYMOUS is engaged - test updated to include check for this code path
Attachment #669529 -
Attachment is obsolete: true
Attachment #673901 -
Flags: review?(cbiesinger)
Updated•12 years ago
|
Attachment #673901 -
Flags: review?(cbiesinger) → review+
Assignee | ||
Comment 23•12 years ago
|
||
Comment on attachment 673901 [details] [diff] [review] v3 + updated test originally by Andrea Marchesini https://hg.mozilla.org/integration/mozilla-inbound/rev/d1a526f4d7b8 (try: https://tbpl.mozilla.org/?tree=Try&rev=d79b4fabfdc0)
Attachment #673901 -
Flags: checkin+
Comment 24•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/d1a526f4d7b8
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla19
You need to log in
before you can comment on or make changes to this bug.
Description
•