Closed Bug 1216687 Opened 9 years ago Closed 9 years ago

Add a load info flag for same-origin credentials policy

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla45
Tracking Flags:
Tracking Status
firefox45 --- fixed

People

(Reporter: ehsan.akhgari, Assigned: sicking)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

patch to fix
(deleted), patch
ckerschb
: review+
Details | Diff | Splinter Review
We have a load info flag for cross origin credentials policy and we need something similar for same origin credentials policy as well.
Assignee: nobody → jonas
Note, it would be nice to have this, but I'm ok not blocking v1 for it. We don't get credentials quite right, but its close enough for the CORS case. As far as I can tell we don't introduce any security issues for existing CORS-enabled APIs.
Attached patch patch to fix (deleted) — Splinter Review
Attachment #8690660 - Flags: review?(mozilla)
Review ping?
Comment on attachment 8690660 [details] [diff] [review] patch to fix Review of attachment 8690660 [details] [diff] [review]: ----------------------------------------------------------------- Nice changes, r=me ::: dom/security/nsContentSecurityManager.cpp @@ +426,5 @@ > + // Handle cookie policies > + uint32_t cookiePolicy = loadInfo->GetCookiePolicy(); > + if (cookiePolicy == nsILoadInfo::SEC_COOKIES_SAME_ORIGIN) { > + nsIPrincipal* loadingPrincipal = loadInfo->LoadingPrincipal(); > + Nit: trailing spaces ::: netwerk/base/nsILoadInfo.idl @@ +94,5 @@ > + * equivalent to "SAME_ORIGIN" for SEC_REQUIRE_CORS_DATA_INHERITS mode. > + * > + * Note that these flags are still subject to the user's cookie policies. > + * For example, if the user is blocking 3rd party cookies, those cookies > + * will be blocked no matter which of these flags are set. Maybe we should still keep a bit of information for CORS_WITH_CREDENTIALS, something like, if you want to perform CORS with credentials pass SEC_COOKIES_INCLUDE or something similar. ::: netwerk/protocol/http/nsCORSListenerProxy.cpp @@ +821,5 @@ > rv = aChannel->GetOriginalURI(getter_AddRefs(originalURI)); > NS_ENSURE_SUCCESS(rv, rv); > > + nsCOMPtr<nsILoadInfo> loadInfo; > + aChannel->GetLoadInfo(getter_AddRefs(loadInfo)); nit: you could make this a one liner: nsCOMPtr<nsILoadInfo> loadInfo = aChannel->GetLoadInfo(); @@ +908,5 @@ > + // Make cookie-less if needed. We don't need to do anything here if the > + // channel wasn't opened with AsyncOpen2, since otherwise AsyncOpen2 will > + // take care of the cookie policy for us. > + if ((!loadInfo || !loadInfo->GetEnforceSecurity()) && > + !mWithCredentials) { nit: flip this check and use: if (!mWithCredentials && (!loadInfo || !loadInfo->GetEnforceSecurity()))
Attachment #8690660 - Flags: review?(mozilla) → review+
Backed out together with bug 1226909 in https://hg.mozilla.org/integration/mozilla-inbound/rev/e648ed99a3a2 for M(1,2,5) failures on all platforms: Backout job: https://treeherder.mozilla.org/#/jobs?repo=mozilla-inbound&revision=e648ed99a3a2 Failing job: https://treeherder.mozilla.org/#/jobs?repo=mozilla-inbound&revision=09d64535bcda Failure example: https://treeherder.mozilla.org/logviewer.html#?job_id=18328115&repo=mozilla-inbound 04:32:02 INFO - 463 INFO TEST-START | dom/base/test/test_XHRDocURI.html 04:32:03 INFO - TEST-INFO | started process screentopng 04:32:06 INFO - TEST-INFO | screentopng: exit 0 04:32:06 INFO - <snipped 1 output lines - if you need more context, please use SimpleTest.requestCompleteLog() in your test> 04:32:06 INFO - 464 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong url 04:32:06 INFO - 465 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base 04:32:06 INFO - 466 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (xml:base) 04:32:06 INFO - 467 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong url 04:32:06 INFO - 468 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base 04:32:06 INFO - 469 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (after <base> changed) 04:32:06 INFO - 470 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | should not have document 04:32:06 INFO - 471 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | should not have document 04:32:06 INFO - 472 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | should not have document 04:32:06 INFO - 473 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong url 04:32:06 INFO - 474 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base 04:32:06 INFO - 475 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (xml:base) 04:32:06 INFO - 476 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong url 04:32:06 INFO - 477 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base 04:32:06 INFO - 478 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (after <base> changed) 04:32:06 INFO - 479 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong url 04:32:06 INFO - 480 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base 04:32:06 INFO - 481 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (xml:base) 04:32:06 INFO - 482 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong url 04:32:06 INFO - 483 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base 04:32:06 INFO - 484 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (after <base> changed) 04:32:06 INFO - 485 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | should not have document 04:32:06 INFO - 486 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | should not have document 04:32:06 INFO - 487 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | should not have document 04:32:06 INFO - 488 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong url 04:32:06 INFO - 489 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong url (.documentObjectURI) 04:32:06 INFO - 490 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base 04:32:06 INFO - 491 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (.baseURIObject) 04:32:06 INFO - 492 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (xml:base) 04:32:06 INFO - 493 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (.baseURIObject, xml:base) 04:32:06 INFO - 494 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong url (clone) 04:32:06 INFO - 495 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (clone) 04:32:06 INFO - 496 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong url 04:32:06 INFO - 497 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong url (.documentURIObject) 04:32:06 INFO - 498 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base 04:32:06 INFO - 499 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong url (.baseURIObject) 04:32:06 INFO - 500 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (doc base and xml:base are same) 04:32:06 INFO - 501 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (.baseURIObject, doc base and xml:base are same) 04:32:06 INFO - 502 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong attr base (doc base and xml:base are same) 04:32:06 INFO - 503 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong attr base (.baseURIObject, doc base and xml:base are same) 04:32:06 INFO - 504 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (after <base> changed) 04:32:06 INFO - 505 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (.baseURIObject, after <base> changed) 04:32:06 INFO - 506 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong url (clone) 04:32:06 INFO - 507 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (clone) 04:32:06 INFO - 508 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong url 04:32:06 INFO - 509 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong url (.documentObjectURI) 04:32:06 INFO - 510 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base 04:32:06 INFO - 511 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (.baseURIObject) 04:32:06 INFO - 512 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (xml:base) 04:32:06 INFO - 513 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (.baseURIObject, xml:base) 04:32:06 INFO - 514 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong url (clone) 04:32:06 INFO - 515 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (clone) 04:32:06 INFO - 516 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong url 04:32:06 INFO - 517 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong url (.documentURIObject) 04:32:06 INFO - 518 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base 04:32:06 INFO - 519 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong url (.baseURIObject) 04:32:06 INFO - 520 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (doc base and xml:base are same) 04:32:06 INFO - 521 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (.baseURIObject, doc base and xml:base are same) 04:32:06 INFO - 522 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong attr base (doc base and xml:base are same) 04:32:06 INFO - 523 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong attr base (.baseURIObject, doc base and xml:base are same) 04:32:06 INFO - 524 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (after <base> changed) 04:32:06 INFO - 525 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (.baseURIObject, after <base> changed) 04:32:06 INFO - 526 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong url (clone) 04:32:06 INFO - 527 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (clone) 04:32:06 INFO - 528 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong url 04:32:06 INFO - 529 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong url (.documentObjectURI) 04:32:06 INFO - 530 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base 04:32:06 INFO - 531 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (.baseURIObject) 04:32:06 INFO - 532 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (xml:base) 04:32:06 INFO - 533 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (.baseURIObject, xml:base) 04:32:06 INFO - 534 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong url (clone) 04:32:06 INFO - 535 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (clone) 04:32:06 INFO - 536 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong url 04:32:06 INFO - 537 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong url (.documentURIObject) 04:32:06 INFO - 538 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base 04:32:06 INFO - 539 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong url (.baseURIObject) 04:32:06 INFO - 540 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (doc base and xml:base are same) 04:32:06 INFO - 541 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (.baseURIObject, doc base and xml:base are same) 04:32:06 INFO - 542 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong attr base (doc base and xml:base are same) 04:32:06 INFO - 543 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong attr base (.baseURIObject, doc base and xml:base are same) 04:32:06 INFO - 544 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (after <base> changed) 04:32:06 INFO - 545 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (.baseURIObject, after <base> changed) 04:32:06 INFO - 546 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong url (clone) 04:32:06 INFO - 547 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (clone) 04:32:06 INFO - 548 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong url 04:32:06 INFO - 549 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong url (.documentObjectURI) 04:32:06 INFO - 550 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base 04:32:06 INFO - 551 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (.baseURIObject) 04:32:06 INFO - 552 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (xml:base) 04:32:06 INFO - 553 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (.baseURIObject, xml:base) 04:32:06 INFO - 554 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong url 04:32:06 INFO - 555 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong url (.documentURIObject) 04:32:06 INFO - 556 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base 04:32:06 INFO - 557 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong url (.baseURIObject) 04:32:06 INFO - 558 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (doc base and xml:base are same) 04:32:06 INFO - 559 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (.baseURIObject, doc base and xml:base are same) 04:32:06 INFO - 560 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong attr base (doc base and xml:base are same) 04:32:06 INFO - 561 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong attr base (.baseURIObject, doc base and xml:base are same) 04:32:06 INFO - 562 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (after <base> changed) 04:32:06 INFO - 563 INFO TEST-PASS | dom/base/test/test_XHRDocURI.html | wrong base (.baseURIObject, after <base> changed) 04:32:06 INFO - 564 INFO TEST-UNEXPECTED-FAIL | dom/base/test/test_XHRDocURI.html | wrong url - got "http://mochi.test:8888/tests/dom/base/test/test_XHRDocURI.html", expected "http://example.com/tests/dom/base/test/file_XHRDocURI.xml" 04:32:06 INFO - SimpleTest.is@SimpleTest/SimpleTest.js:267:5 04:32:06 INFO - testChromeXMLDocURI@dom/base/test/test_XHRDocURI.html:46:3 04:32:06 INFO - runTest/xhr.onreadystatechange@dom/base/test/test_XHRDocURI.html:428:5 04:32:06 INFO - EventHandlerNonNull*runTest@dom/base/test/test_XHRDocURI.html:418:3 04:32:06 INFO - runTest/xhr.onreadystatechange@dom/base/test/test_XHRDocURI.html:410:7 04:32:06 INFO - EventHandlerNonNull*runTest@dom/base/test/test_XHRDocURI.html:399:3 04:32:06 INFO - runTest/xhr.onreadystatechange@dom/base/test/test_XHRDocURI.html:390:7 04:32:06 INFO - EventHandlerNonNull*runTest@dom/base/test/test_XHRDocURI.html:378:3 04:32:06 INFO - runTest/xhr.onreadystatechange@dom/base/test/test_XHRDocURI.html:367:7 04:32:06 INFO - EventHandlerNonNull*runTest@dom/base/test/test_XHRDocURI.html:355:3 04:32:06 INFO - runTest/xhr.onreadystatechange@dom/base/test/test_XHRDocURI.html:346:7 04:32:06 INFO - EventHandlerNonNull*runTest@dom/base/test/test_XHRDocURI.html:333:3 04:32:06 INFO - runTest/xhr.onreadystatechange@dom/base/test/test_XHRDocURI.html:325:7 04:32:06 INFO - EventHandlerNonNull*runTest@dom/base/test/test_XHRDocURI.html:313:3 04:32:06 INFO - runTest/xhr.onreadystatechange@dom/base/test/test_XHRDocURI.html:304:7 04:32:06 INFO - EventHandlerNonNull*runTest@dom/base/test/test_XHRDocURI.html:291:3 04:32:06 INFO - runTest/xhr.onreadystatechange@dom/base/test/test_XHRDocURI.html:283:7 04:32:06 INFO - EventHandlerNonNull*runTest@dom/base/test/test_XHRDocURI.html:271:3 04:32:06 INFO - runTest/xhr.onreadystatechange@dom/base/test/test_XHRDocURI.html:262:7 04:32:06 INFO - EventHandlerNonNull*runTest@dom/base/test/test_XHRDocURI.html:249:3 04:32:06 INFO - runTest/xhr.onreadystatechange@dom/base/test/test_XHRDocURI.html:238:7 04:32:06 INFO - EventHandlerNonNull*runTest@dom/base/test/test_XHRDocURI.html:235:3 04:32:06 INFO - runTest/xhr.onreadystatechange@dom/base/test/test_XHRDocURI.html:227:7 04:32:06 INFO - EventHandlerNonNull*runTest@dom/base/test/test_XHRDocURI.html:217:3 04:32:06 INFO - runTest/xhr.onreadystatechange@dom/base/test/test_XHRDocURI.html:208:7 04:32:06 INFO - EventHandlerNonNull*runTest@dom/base/test/test_XHRDocURI.html:197:3 04:32:06 INFO - runTest/xhr.onreadystatechange@dom/base/test/test_XHRDocURI.html:189:7 04:32:06 INFO - EventHandlerNonNull*runTest@dom/base/test/test_XHRDocURI.html:179:3 04:32:06 INFO - runTest/xhr.onreadystatechange@dom/base/test/test_XHRDocURI.html:170:7 04:32:06 INFO - EventHandlerNonNull*runTest@dom/base/test/test_XHRDocURI.html:159:3 04:32:06 INFO - runTest/xhr.onreadystatechange@dom/base/test/test_XHRDocURI.html:151:7 04:32:06 INFO - EventHandlerNonNull*runTest@dom/base/test/test_XHRDocURI.html:148:3 04:32:06 INFO - runTest/xhr.onreadystatechange@dom/base/test/test_XHRDocURI.html:140:7 04:32:06 INFO - EventHandlerNonNull*runTest@dom/base/test/test_XHRDocURI.html:130:3 04:32:06 INFO - runTest/xhr.onreadystatechange@dom/base/test/test_XHRDocURI.html:121:7 04:32:06 INFO - EventHandlerNonNull*runTest@dom/base/test/test_XHRDocURI.html:110:3 04:32:06 INFO - startTest/<@dom/base/test/test_XHRDocURI.html:34:5
Flags: needinfo?(jonas)
Flags: needinfo?(jonas)
https://hg.mozilla.org/mozilla-central/rev/7b9b0ce58fbf
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox45: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla45
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: