Closed
Bug 383430
Opened 18 years ago
Closed 17 years ago
Add API to XMLHttpRequest to provide convenience for background requests
Categories
(Core :: XML, defect)
Core
XML
Tracking
()
RESOLVED
FIXED
People
(Reporter: mozbugs, Assigned: mozbugs)
References
Details
Attachments
(1 file, 6 obsolete files)
(deleted),
patch
|
mozbugs
:
review+
mozbugs
:
superreview+
shaver
:
approval1.9+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.4) Gecko/20070605 Firefox/2.0.0.4 Flock/0.8.99
Build Identifier:
To provide some convenience for app or extension code doing requests in the background without user intervention, I propose the following:
1. Do not attach to a window's load group, so requests aren't cancelled if the window closes (often the window isn't really associated with the request anyway)
2. Do not get an nsIAuthPrompt by default, since we don't want auth dialogs to pop up randomly.
3. Provide an nsIBadCertListener implementation, again to prevent bad cert dialogs to pop up randomly.
4. Provide a mechanism to set an arbitrary string to be sent as an HTTP header or perhaps in the UA, so servers have an idea what components or extensions are causing requests.
We've done #1 and #2 already in the Flock tree.
Reproducible: Always
Updated•18 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Assignee | ||
Comment 1•18 years ago
|
||
To clarify, #1-3 would be turned on via a single boolean flag in the interface. In Fow now, in Flock I've called the flag backgroundRequest.
Assignee | ||
Comment 2•17 years ago
|
||
In light of bug #327181, I don't think #3 is necessary anymore.
Are we talking about enabling this for content? Or just for chrome?
Comment 4•17 years ago
|
||
chrome only
Assignee | ||
Comment 5•17 years ago
|
||
Yeah, chrome only. #2 and #4 *may* be useful in light of cross-site XHR support, but let's just get something hashed out for chrome users first.
You should be able to do 4 already using the normal SetRequestHeader API. Code with chrome access should be able to set the UA header.
Assignee | ||
Comment 7•17 years ago
|
||
Spun off bug #405904 to cover #4.
Assignee | ||
Comment 8•17 years ago
|
||
And #3 is relevant again with current trunk UI, as dialogs do pop up for bad certs.
Assignee | ||
Comment 9•17 years ago
|
||
This implements #1-3, and makes the extension manager and update service use it.
For the bad cert stuff, I turned toolkit/mozapps/shared/src/badCertHandler.js into a JS component, and XMLHttpRequest references that accordingly, because content can't (won't?) depend on security interfaces. If the component isn't there, it falls back to the current behavior.
Extension manager and update server still use badCertHandler.js for the checkCert function, perhaps nsBadCertHandler.js could implement an nsIBadCertHandler interface, which provides checkCert? Then the JS #include could go away entirely. Given that there are already 3 users in the tree, it wouldn't be a big stretch to think other users could benefit.
Assignee | ||
Comment 10•17 years ago
|
||
Oh, and currently badCertHandler.js doesn't implement nsIBadCertListener2, so it's not doing its full job anymore.
Severity: enhancement → normal
Assignee | ||
Comment 11•17 years ago
|
||
I forgot to limit it to chrome context only, plus I limited setting the flag to before open() is called, not because it's currently required, but just to give the freedom to apply behavior that might require that in the future.
Attachment #290637 -
Attachment is obsolete: true
Attachment #290775 -
Flags: review?(jonas)
Attachment #290637 -
Flags: review?(jonas)
Assignee | ||
Comment 12•17 years ago
|
||
Doh, I changed the rules of when backgroundRequest could be set without updating the callers, here's a fixed version.
Attachment #290775 -
Attachment is obsolete: true
Attachment #290807 -
Flags: review?(jonas)
Attachment #290775 -
Flags: review?(jonas)
Assignee | ||
Comment 13•17 years ago
|
||
Attachment #290807 -
Attachment is obsolete: true
Attachment #301612 -
Flags: review?(jonas)
Attachment #290807 -
Flags: review?(jonas)
Assignee | ||
Comment 14•17 years ago
|
||
Attachment #301612 -
Attachment is obsolete: true
Attachment #304424 -
Flags: review?(jonas)
Attachment #301612 -
Flags: review?(jonas)
Assignee | ||
Comment 15•17 years ago
|
||
Attachment #304424 -
Attachment is obsolete: true
Attachment #304923 -
Flags: review?(jonas)
Attachment #304424 -
Flags: review?(jonas)
Hmm.. with so little code left, does it really make sense to write the badcerthandler in javascript? Seems simpler to just write C++ and put it in nsXMLHttpRequest.cpp
Sorry, didn't think about that until now :(
Also, I'm thinking we should really have some security folks look at this. I don't really know certificate handling and since it's pretty important stuff I wanna make sure we do the right thing.
Assignee | ||
Comment 17•17 years ago
|
||
Yeah, it still needs to be in JS. I originally wanted to do it all in C++ (even before, the code was not that complex), but the security IDLs get built long after layout, and the source even *depends* on layout and dom, so keeping it in JS avoids making a circular compile time dependency.
nsIBadCertListener2 and nsISSLErrorListener are single function interfaces, and the docs clearly state that returning true suppresses error dialogs but still cancel the request.
http://mxr.mozilla.org/firefox/source/security/manager/ssl/public/nsIBadCertListener2.idl#59
http://mxr.mozilla.org/firefox/source/security/manager/ssl/public/nsISSLErrorListener.idl#56
Flagging dveditz for review, since the cert stuff is based off his work.
Assignee | ||
Updated•17 years ago
|
Attachment #304923 -
Flags: review?(dveditz)
I really like the idea of this patch; should make things a fair bit easier for a lot of extension authors.
Comment 19•17 years ago
|
||
Comment on attachment 304923 [details] [diff] [review]
New patch that incorporates changes discussed on IRC
r=dveditz on the badcert part.
Attachment #304923 -
Flags: review?(dveditz) → review+
Comment on attachment 304923 [details] [diff] [review]
New patch that incorporates changes discussed on IRC
Dan, do we really want to just ignore any bad certificates? Shouldn't we refuse to load the resource in that case?
Resetting review request to make sure it gets reviewed for that issue too.
Attachment #304923 -
Flags: review+ → review?
Assignee | ||
Comment 21•17 years ago
|
||
We *are* refusing to load resources with bad certs. The difference between behavior of the code here and what's in UpdateService/EM is that the latter disallows user whitelisted certs. I filed bug #418992 for that functionality.
Comment on attachment 304923 [details] [diff] [review]
New patch that incorporates changes discussed on IRC
r=me on the non-cert stuff, sr=me for the whole thing.
Attachment #304923 -
Flags: superreview+
Attachment #304923 -
Flags: review?(jonas)
Attachment #304923 -
Flags: review?
Attachment #304923 -
Flags: review+
Assignee | ||
Updated•17 years ago
|
Attachment #304923 -
Flags: approval1.9?
Comment on attachment 304923 [details] [diff] [review]
New patch that incorporates changes discussed on IRC
a=shaver, but two things:
1) please get some tests for this into the tree ASAP; if it's important enough to get into b5, it's important enough to have test coverage
2) what effect will this have on content that uses .backgroundRequest as an expando, perhaps to track their own "background" sorts of requests? (My guess is that they get a cryptic security error now.) Perhaps .mozBackgroundRequest would be a better name, since the property isn't _useful_ unless you're privileged, and we have no intent to standardize.
Attachment #304923 -
Flags: approval1.9? → approval1.9+
Comment on attachment 304923 [details] [diff] [review]
New patch that incorporates changes discussed on IRC
No, I've changed my mind here -- I think we need to at least rename the property name to .mozBackgroundRequest to avoid changing content-visible behaviour between last beta and RC.
Should be an easy fix, and I'll quickly approve the result.
Attachment #304923 -
Flags: approval1.9+ → approval1.9-
I don't think it's that big a risk that someone will set expandos, but there's no harm in using a .moz prefix either, especially given that this is very unlikely to ever be used by web content.
And definitely write some tests, sorry should have thought of that myself.
Comment 26•17 years ago
|
||
+ * The Original Code is the Update Service.
+ *
+ * The Initial Developer of the Original Code is Ben Goodger.
+ * Portions created by the Initial Developer are Copyright (C) 2004
did you really take enough code to merit this?
Assignee | ||
Comment 27•17 years ago
|
||
(In reply to comment #26)
> + * The Original Code is the Update Service.
> + *
> + * The Initial Developer of the Original Code is Ben Goodger.
> + * Portions created by the Initial Developer are Copyright (C) 2004
>
> did you really take enough code to merit this?
All that code is from toolkit/mozapps/shared/src/badCertHandler.js. The only bits I added were to turn it into a real component via XPCOMUtils.
Assignee | ||
Comment 28•17 years ago
|
||
(In reply to comment #25)
> And definitely write some tests, sorry should have thought of that mysel
So I'm not really sure how to test this. How would I go about writing a test to verify an auth prompt dialog or a security warning dialog *isn't* showing up?
The load group stuff is easy enough to test though.
Add a listener that counts how many times it's called, and check that the count is zero when the request completes?
Assignee | ||
Comment 30•17 years ago
|
||
Ok, bug #422808 made the auth prompt a non-issue anyway.
I'm not sure what the best way to trigger an invalid cert warning from the test framework.
Assignee | ||
Comment 31•17 years ago
|
||
Hm, I'm unable to get a cert warning dialog from within the mochitest framework at all. Same code called from within a normal browser instance throws up a dialog.
Assignee | ||
Comment 32•17 years ago
|
||
Ok, I've renamed the attribute to mozBackgroundRequest, and synced up the code with current CVS. As noted before, the auth prompt logic isn't needed anymore.
I've written a test for loadGroup detachment, but I can't seem to even get a security dialog to trigger from mochitest land. Can this be landed for b5, with a test for the security dialog stuff happening later once we figure out what's going on there?
Attachment #304923 -
Attachment is obsolete: true
Attachment #310343 -
Flags: superreview+
Attachment #310343 -
Flags: review+
Attachment #310343 -
Flags: approval1.9?
Comment on attachment 310343 [details] [diff] [review]
New patch, with mozBackgroundRequest attribute
a=shaver, please file a bug on the needed test infrastructure, and mark it blocking a bug that describes the specific tests you feel are missing.
Attachment #310343 -
Flags: approval1.9? → approval1.9+
Comment 34•17 years ago
|
||
Checking in content/base/public/nsIXMLHttpRequest.idl;
/cvsroot/mozilla/content/base/public/nsIXMLHttpRequest.idl,v <-- nsIXMLHttpRequest.idl
new revision: 1.39; previous revision: 1.38
done
Checking in content/base/src/Makefile.in;
/cvsroot/mozilla/content/base/src/Makefile.in,v <-- Makefile.in
new revision: 1.121; previous revision: 1.120
done
RCS file: /cvsroot/mozilla/content/base/src/nsBadCertHandler.js,v
done
Checking in content/base/src/nsBadCertHandler.js;
/cvsroot/mozilla/content/base/src/nsBadCertHandler.js,v <-- nsBadCertHandler.js
initial revision: 1.1
done
Checking in content/base/src/nsXMLHttpRequest.cpp;
/cvsroot/mozilla/content/base/src/nsXMLHttpRequest.cpp,v <-- nsXMLHttpRequest.cpp
new revision: 1.229; previous revision: 1.228
done
Checking in content/base/test/Makefile.in;
/cvsroot/mozilla/content/base/test/Makefile.in,v <-- Makefile.in
new revision: 1.63; previous revision: 1.62
done
RCS file: /cvsroot/mozilla/content/base/test/test_bug383430.html,v
done
Checking in content/base/test/test_bug383430.html;
/cvsroot/mozilla/content/base/test/test_bug383430.html,v <-- test_bug383430.html
initial revision: 1.1
done
Landed on trunk
Assignee | ||
Comment 35•17 years ago
|
||
Will file bugs about test framework.
Marking bug as FIXED as code has landed.
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Updated•17 years ago
|
Keywords: dev-doc-needed
Comment 37•17 years ago
|
||
Keywords: dev-doc-needed
Was it intended that doing a background request should always suppress auth prompts? If so that isn't working I realized. Making GetInterface not return an nsIAuthPrompt here simply means that we'll try to get one from the loadgroup, which in many cases will mean that the docshell will provide one.
Although currently chrome docshells most of the time don't provide authprompts, except if a proxy requests authentication.
Assignee | ||
Comment 39•17 years ago
|
||
(In reply to comment #38)
> Although currently chrome docshells most of the time don't provide authprompts,
> except if a proxy requests authentication.
Hm, since when you enable mozBackgroundRequest you don't get the document's loadgroup, would you still get a proxy auth dialog?
Ah, good point, no you don't
Comment 41•16 years ago
|
||
Does a normal Gecko app like FF or SeaMonkey need to ship nsBadCertHandler.js? Just wondering because this file isn't included in browser/installer/windows/packages-static or other packaging files.
Yes. If that's not shipped inside a jar or elsewhere that seems like a bug.
Assignee | ||
Comment 43•16 years ago
|
||
Should be simple enough to add to packages-static.. shall I open a new bug or reopen this one?
Comment 44•16 years ago
|
||
New bug, please.
Assignee | ||
Comment 45•16 years ago
|
||
Filed bug #452135.
You need to log in
before you can comment on or make changes to this bug.
Description
•