Closed Bug 845140 Opened 12 years ago Closed 12 years ago

CORS credentials from null

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 671389

People

(Reporter: homakov, Unassigned)

Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17

Steps to reproduce:

i created http://homakov.blogspot.com/2013/02/pagebox-website-gatekeeper.html



Actual results:

XHR with credentials doesnt work for sandboxed (origin=null) domain. We cannot use wildcard *


Expected results:

i want to be able to add cookies from null too.
can we please please allow wildcard? OR add 'null' value so we could match it with null origin? 
Pagebox is very cool technology and now i have to proxy XHR through form-iframe. It's ugly, I want to use CORS with cookies... pleeease
Component: Untriaged → DOM: Mozilla Extensions
Product: Firefox → Core
Anne, this would need spec changes, yes?
Flags: needinfo?(annevk)
The specification allows for this scenario by the server responding with "Access-Control-Allow-Origin: null" and "Access-Control-Allow-Credentials: true". The use case is a personalized search widget. It's a bug in implementations if that's disallowed.
Flags: needinfo?(annevk)
Reporter, what exact headers are you sending?  What are the steps to reproduce this issue?
Flags: needinfo?(homakov)
i use
x=new HttpRequest;
x.open('get','http://localhost:9292/payments/new');
x.setRequestHeader('Pagebox',pagebox());
x.withCredentials = true;
x.send();


from lh:9292 host. and it doesnt go further OPTIONS preflight. I respond with credentials: true, origin: null headers
Flags: needinfo?(homakov)
wait wait:
CSP WARN: Couldn't process unknown directive 'sandbox' 
for 
sandbox allow-scripts allow-top-navigation allow-forms
is there sandbox in FF 19? NO? O_O
There is "sandbox" content security policy directive.  See the spec at <http://www.w3.org/TR/CSP/#directives>.  There's a proposal for adding such a directive at https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#sandbox but that's an early draft that we don't implement yet because it's in flux, as far as I can tell.

If you're actually sending 'Access-Control-Allow-Credentials: true' and 'Access-Control-Allow-Origin: null' then things should work based on code inspection if you're also using <iframe sandbox>, as of Firefox 17.

But if you're not using <iframe sandbox> then you're not sandboxed, and then your origin is not null.
Though note 671389.
now i see. pagebox technology requires to sandbox pages using header.. attacker is not going to set sandbox attribute
 
why cant FF implement it? CSP is header and you can trust in it, this is not worse than iframe attribute. 

I also cannot make inline scripts work with mozilla CSP, it looks not compatible to chrome, where everything works like a  charm
> why cant FF implement it?

We can; see bug 671389.  Again, this is an in-flux proposal, not a finalized spec.  If you use it, you get browser incompatibilities....
It works in chrome, it doesn't work in FF. FF claims to support CSP, right?
After all browser incompatibilities start from not what *I* implemented, but from what *FF* didn't implement. IMHO
There are two different versions of CSP: CSP 1.0 and CSP 1.1.

CSP 1.0 is a finalized spec (more or less) and does not have the "sandbox" directive.

CSP 1.1 is an early stage proposal and has a "sandbox" directive.

Firefox implements CSP 1.0.
In any case, given the above this looks like a duplicate of bug 671389.
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
In any case, given the above this looks like a duplicate of bug 671389.
Component: DOM: Mozilla Extensions → DOM
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.