mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-10-16 14:55:47 +00:00
Bug 1732069: Consider loopback origin for Sec-Fetch-Site: same-site r=ckerschb
Differential Revision: https://phabricator.services.mozilla.com/D129152
This commit is contained in:
parent
21b2b112f4
commit
5ef444d868
@ -340,6 +340,9 @@ https://localhost:443
|
||||
# Bug 1402530
|
||||
http://localhost:80 privileged
|
||||
|
||||
http://localhost:9898
|
||||
http://localhost:9899
|
||||
|
||||
# Host for testing APIs whitelisted for mozilla.org
|
||||
https://www.mozilla.org:443
|
||||
|
||||
|
@ -209,7 +209,9 @@ bool IsSameSite(nsIChannel* aHTTPChannel) {
|
||||
// if the initial request is not same-site, or not https, we can
|
||||
// return here because we already know it's not a same-site request
|
||||
if (!hostDomain.Equals(channelDomain) ||
|
||||
!loadInfo->TriggeringPrincipal()->SchemeIs("https")) {
|
||||
(!loadInfo->TriggeringPrincipal()->SchemeIs("https") &&
|
||||
!nsMixedContentBlocker::IsPotentiallyTrustworthyLoopbackHost(
|
||||
hostDomain))) {
|
||||
return false;
|
||||
}
|
||||
|
||||
|
11
dom/security/test/sec-fetch/file_trustworthy_loopback.html
Normal file
11
dom/security/test/sec-fetch/file_trustworthy_loopback.html
Normal file
@ -0,0 +1,11 @@
|
||||
<!DOCTYPE HTML>
|
||||
<html>
|
||||
<head>
|
||||
<title>Bug 1732069: Sec-Fetch-Site inconsistent on localhost/IPs</title>
|
||||
</head>
|
||||
<body>
|
||||
<iframe src="http://localhost:9898/foo"></iframe>
|
||||
<iframe src="http://localhost:9899/foo"></iframe>
|
||||
<iframe src="http://sub.localhost/foo"></iframe>
|
||||
</body>
|
||||
</html>
|
@ -10,3 +10,5 @@ support-files = file_websocket_wsh.py
|
||||
[test_iframe_srcdoc_metaRedirect.html]
|
||||
[test_iframe_window_open_metaRedirect.html]
|
||||
[test_iframe_history_manipulation.html]
|
||||
[test_trustworthy_loopback.html]
|
||||
support-files = file_trustworthy_loopback.html
|
||||
|
79
dom/security/test/sec-fetch/test_trustworthy_loopback.html
Normal file
79
dom/security/test/sec-fetch/test_trustworthy_loopback.html
Normal file
@ -0,0 +1,79 @@
|
||||
<!DOCTYPE HTML>
|
||||
<html>
|
||||
<head>
|
||||
<title>Bug 1732069: Sec-Fetch-Site inconsistent on localhost/IPs</title>
|
||||
<script src="/tests/SimpleTest/SimpleTest.js"></script>
|
||||
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
|
||||
</head>
|
||||
<body>
|
||||
<script type="application/javascript">
|
||||
|
||||
SimpleTest.waitForExplicitFinish();
|
||||
|
||||
let testsSucceeded = 0;
|
||||
|
||||
let win;
|
||||
function checkTestsDone() {
|
||||
testsSucceeded++;
|
||||
if (testsSucceeded == 3) {
|
||||
win.close();
|
||||
SimpleTest.finish();
|
||||
}
|
||||
}
|
||||
|
||||
/* eslint-env mozilla/frame-script */
|
||||
var script = SpecialPowers.loadChromeScript(() => {
|
||||
const {Services} = ChromeUtils.import("resource://gre/modules/Services.jsm");
|
||||
|
||||
Services.obs.addObserver(function onExamResp(subject, topic, data) {
|
||||
let channel = subject.QueryInterface(Ci.nsIHttpChannel);
|
||||
if (!channel.URI.spec.includes("localhost") ||
|
||||
channel.URI.spec.startsWith("http://localhost:9898/tests/dom/security/test/sec-fetch/file_trustworthy_loopback.html")) {
|
||||
return;
|
||||
}
|
||||
|
||||
const expectedHeaders = {
|
||||
"localhost:9898": {
|
||||
"sec-fetch-site": "same-origin",
|
||||
"sec-fetch-mode": "navigate",
|
||||
"sec-fetch-dest": "iframe",
|
||||
},
|
||||
"sub.localhost:-1": {
|
||||
"sec-fetch-site": "cross-site",
|
||||
"sec-fetch-mode": "navigate",
|
||||
"sec-fetch-dest": "iframe",
|
||||
},
|
||||
"localhost:9899": {
|
||||
"sec-fetch-site": "same-site",
|
||||
"sec-fetch-mode": "navigate",
|
||||
"sec-fetch-dest": "iframe",
|
||||
},
|
||||
};
|
||||
|
||||
info(`checking headers for request to ${channel.URI.spec}`);
|
||||
const expected = expectedHeaders[channel.URI.host + ":" + channel.URI.port];
|
||||
for (let key in expected) {
|
||||
try {
|
||||
is(channel.getRequestHeader(key), expected[key], `${key} header matches`);
|
||||
} catch (e) {
|
||||
ok(false, "failed to check headers");
|
||||
}
|
||||
}
|
||||
sendAsyncMessage("test-end");
|
||||
}, "http-on-stop-request");
|
||||
});
|
||||
|
||||
script.addMessageListener("test-end", () => {
|
||||
checkTestsDone();
|
||||
});
|
||||
|
||||
SpecialPowers.pushPrefEnv({set: [
|
||||
["network.proxy.allow_hijacking_localhost", true],
|
||||
["network.proxy.testing_localhost_is_secure_when_hijacked", true],
|
||||
]}).then(function() {
|
||||
win = window.open("http://localhost:9898/tests/dom/security/test/sec-fetch/file_trustworthy_loopback.html");
|
||||
});
|
||||
|
||||
</script>
|
||||
</body>
|
||||
</html>
|
Loading…
Reference in New Issue
Block a user