Closed
Bug 845140
Opened 12 years ago
Closed 12 years ago
CORS credentials from null
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 671389
People
(Reporter: homakov, Unassigned)
Details
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17 Steps to reproduce: i created http://homakov.blogspot.com/2013/02/pagebox-website-gatekeeper.html Actual results: XHR with credentials doesnt work for sandboxed (origin=null) domain. We cannot use wildcard * Expected results: i want to be able to add cookies from null too. can we please please allow wildcard? OR add 'null' value so we could match it with null origin? Pagebox is very cool technology and now i have to proxy XHR through form-iframe. It's ugly, I want to use CORS with cookies... pleeease
Updated•12 years ago
|
Component: Untriaged → DOM: Mozilla Extensions
Product: Firefox → Core
Comment 2•12 years ago
|
||
The specification allows for this scenario by the server responding with "Access-Control-Allow-Origin: null" and "Access-Control-Allow-Credentials: true". The use case is a personalized search widget. It's a bug in implementations if that's disallowed.
Flags: needinfo?(annevk)
Comment 3•12 years ago
|
||
Reporter, what exact headers are you sending? What are the steps to reproduce this issue?
Flags: needinfo?(homakov)
i use x=new HttpRequest; x.open('get','http://localhost:9292/payments/new'); x.setRequestHeader('Pagebox',pagebox()); x.withCredentials = true; x.send(); from lh:9292 host. and it doesnt go further OPTIONS preflight. I respond with credentials: true, origin: null headers
Flags: needinfo?(homakov)
wait wait: CSP WARN: Couldn't process unknown directive 'sandbox' for sandbox allow-scripts allow-top-navigation allow-forms is there sandbox in FF 19? NO? O_O
Comment 6•12 years ago
|
||
There is "sandbox" content security policy directive. See the spec at <http://www.w3.org/TR/CSP/#directives>. There's a proposal for adding such a directive at https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#sandbox but that's an early draft that we don't implement yet because it's in flux, as far as I can tell. If you're actually sending 'Access-Control-Allow-Credentials: true' and 'Access-Control-Allow-Origin: null' then things should work based on code inspection if you're also using <iframe sandbox>, as of Firefox 17. But if you're not using <iframe sandbox> then you're not sandboxed, and then your origin is not null.
Comment 7•12 years ago
|
||
Though note 671389.
now i see. pagebox technology requires to sandbox pages using header.. attacker is not going to set sandbox attribute why cant FF implement it? CSP is header and you can trust in it, this is not worse than iframe attribute. I also cannot make inline scripts work with mozilla CSP, it looks not compatible to chrome, where everything works like a charm
Comment 9•12 years ago
|
||
> why cant FF implement it? We can; see bug 671389. Again, this is an in-flux proposal, not a finalized spec. If you use it, you get browser incompatibilities....
Reporter | ||
Comment 10•12 years ago
|
||
It works in chrome, it doesn't work in FF. FF claims to support CSP, right? After all browser incompatibilities start from not what *I* implemented, but from what *FF* didn't implement. IMHO
Comment 11•12 years ago
|
||
There are two different versions of CSP: CSP 1.0 and CSP 1.1. CSP 1.0 is a finalized spec (more or less) and does not have the "sandbox" directive. CSP 1.1 is an early stage proposal and has a "sandbox" directive. Firefox implements CSP 1.0.
Comment 12•12 years ago
|
||
In any case, given the above this looks like a duplicate of bug 671389.
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
Comment 13•12 years ago
|
||
In any case, given the above this looks like a duplicate of bug 671389.
Assignee | ||
Updated•11 years ago
|
Component: DOM: Mozilla Extensions → DOM
Assignee | ||
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•