Closed Bug 979359 Opened 10 years ago Closed 9 years ago

Add telemetry to understand HTTP Auth usage in subresources

Categories

(Core :: General, defect)

Product:
Core
Component:
General
Type:
defect
Priority:
Not set
Severity:
normal
Points:
8

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla43
Tracking Flags:
Tracking Status
firefox43 --- fixed

People

(Reporter: Dolske, Assigned: dragana)

References

(Blocks 1 open bug)

Details

Attachments

(1 file, 3 obsolete files)

bug_979359_v1.patch
3.83 KB, patch
dragana
: review+
Details | Diff | Splinter Review 
HTTP Authentication has a number of inherent UX problems. Bug 647010 has some details, but the nutshell version is that authentication requests from nested resources in a page (eg iframes, images, etc) can be quite confusing especially when they're for different origins. The prompts include the requesting origin, but users often won't see of understand it.

We'd like to consider dropping these kinds of requests, but we really don't know how common they are. Chrome apparently tried this and then undid it for unclear reasons (see bug 647010 comment 21).

I think it would be helpful to add some telemetry to understand how common this kind of things its. Details TBD, but off the top of my head it would be useful to know:
  * How often HTTP Auth occurs at all
  * What percentage of that is for a top-level doc load
  * For subresources, what percentage are cross-origin (probably just cross-TLD?)
Whiteboard: [triage]
Blocks: fxdesktoptriage
No longer blocks: fxdesktopbacklog
Blocks: fxdesktopbacklog
No longer blocks: fxdesktoptriage
Whiteboard: [triage] → p=0
No longer blocks: fxdesktopbacklog
Flags: firefox-backlog+
Whiteboard: p=0 → p=8
Depends on: 1008965
Depends on: 1009627
Joel:  Wrong bug? Those two dependencies are completely unrelated to this bug.
No longer depends on: 1009627, 1008965
I think this would be useful to understand if we implement tab-modal auth prompts.
Blocks: 983796
Points: --- → 8
Whiteboard: p=8
Attached patch bug_979359_v1.patch (obsolete) — Splinter Review 

    
    

    
  

      
      
      
      

        Attached patch
          
          
        bug_979359_v1.patch (obsolete)
        — Splinter Review
      

    


  

        Attachment #8651768 -
        Attachment is obsolete: true

    
    

    
  

      
      
      
      

        Attached patch
          
          
        bug_979359_v1.patch (obsolete)
        — Splinter Review
      

    


  
Assignee: nobody → dd.mozilla

        Attachment #8651771 -
        Attachment is obsolete: true
Status: NEW → ASSIGNED

        Attachment #8651932 -
        Flags: review?(jduell.mcbugs)

    
    

    
  
Comment on attachment 8651932 [details] [diff] [review]
bug_979359_v1.patch

Review of attachment 8651932 [details] [diff] [review]:
-----------------------------------------------------------------

::: netwerk/protocol/http/nsHttpChannelAuthProvider.cpp
@@ +36,5 @@
>  #define SUBRESOURCE_AUTH_DIALOG_DISALLOW_CROSS_ORIGIN 1
>  #define SUBRESOURCE_AUTH_DIALOG_ALLOW_ALL 2
>  
> +#define HTTP_AUTH_DIALOG_TOP_LEVEL_DOC 0
> +#define HTTP_AUTH_DIALOG_NOT_CROSS_ORIGIN_SUB_RESOURCES 1

how about  SAME_ORIGIN_SUBRESOURCE?  (i.e. SAME instead of NOT, SUBRESOURCE as one word, and not plural)

        Attachment #8651932 -
        Flags: review?(jduell.mcbugs) → review+

    
    

    
  


  

        Attachment #8651932 -
        Attachment is obsolete: true

        Attachment #8653520 -
        Flags: review+

    
  
Keywords: checkin-needed

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/60e6c31a69e0
Status: ASSIGNED → RESOLVED
Closed: 9 years ago

          status-firefox43:
          --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla43

    
    

    
  
Perhaps we can determine what type of cross origin subresources we have and whitelist some (ex: xhr and iframe).
https://bugzilla.mozilla.org/show_bug.cgi?id=647010#c28

    
    

    
  
(In reply to Tanvi Vyas [:tanvi] from comment #11)
> Looking at the stats, the number of same orgin subresources is suprisingly
> large:
> https://telemetry.mozilla.org/new-pipeline/dist.html#!
> cumulative=0&end_date=2015-09-06&keys=__none__!__none__!
> __none__&max_channel_version=nightly%252F43&measure=HTTP_AUTH_DIALOG_STATS&mi
> n_channel_version=null&product=Firefox&sanitize=1&sort_keys=submissions&start
> _date=2015-08-28&table=0&trim=1&use_submission_date=0
> 
> cross origin subresources account for 3.5%.  What is the path forward here?

I think we should make cross-origin issue more clear in the authentication dialog, e.g. showing that the sub-resource is asking for authentication.

I would not whitelist anything, I think the behavior should be the same for all sub-resources.

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: