New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fetch is not setting origin correctly. #15247
Comments
This is probably the root cause of the test failure at #15232 (comment) |
I would like to work on this. |
@brainlessdeveloper cool, thanks! (I was on vacation, sorry about the delay.) Let me know if there's any help you need. |
Oh, I'd forgotten about this one haha. Would you mind adding the assigned label to it? |
@cbrewster beat me to it :) |
@brainlessdeveloper The following conversation snippet would light your path forward:
|
@KiChjang Awesome! I read the whole chat but on a first read I didn't figure out much. Thanks! |
So in short I should fix |
The |
Fetch set origin <!-- Please describe your changes on the following line: --> These changes are a WIP, aiming to fix #15247 --- <!-- Thank you for contributing to Servo! Please replace each `[ ]` by `[X]` when the step is complete, and replace `__` with appropriate data: --> - [x] `./mach build -d` does not report any errors - [x] `./mach test-tidy` does not report any errors - [ ] These changes fix #15247 (github issue number if applicable). <!-- Either: --> - [ ] There are tests for these changes OR - [x] These changes do not require tests because cors is already tested with different origins <!-- Also, please make sure that "Allow edits from maintainers" checkbox is checked, so that we can help you if you get stuck somewhere along the way.--> <!-- Pull requests that do not address these steps are welcome, but they will require additional verification as part of the review process. --> <!-- Reviewable:start --> --- This change is [<img src="https://reviewable.io/review_button.svg" height="34" align="absmiddle" alt="Reviewable"/>](https://reviewable.io/reviews/servo/servo/16508) <!-- Reviewable:end -->
Properly set origin of fetch requests <!-- Please describe your changes on the following line: --> These changes aim to fix #15247 --- <!-- Thank you for contributing to Servo! Please replace each `[ ]` by `[X]` when the step is complete, and replace `__` with appropriate data: --> - [x] `./mach build -d` does not report any errors - [x] `./mach test-tidy` does not report any errors - [x] These changes fix #15247 (github issue number if applicable). <!-- Either: --> - [ ] There are tests for these changes - [x] These changes do not require tests because cors is already tested with different origins These changes require changes in tests, but I need help with that (see comments below). <!-- Also, please make sure that "Allow edits from maintainers" checkbox is checked, so that we can help you if you get stuck somewhere along the way.--> <!-- Pull requests that do not address these steps are welcome, but they will require additional verification as part of the review process. --> <!-- Reviewable:start --> --- This change is [<img src="https://reviewable.io/review_button.svg" height="34" align="absmiddle" alt="Reviewable"/>](https://reviewable.io/reviews/servo/servo/16508) <!-- Reviewable:end -->
…y,jdm Properly set origin of fetch requests <!-- Please describe your changes on the following line: --> These changes aim to fix #15247 --- <!-- Thank you for contributing to Servo! Please replace each `[ ]` by `[X]` when the step is complete, and replace `__` with appropriate data: --> - [x] `./mach build -d` does not report any errors - [x] `./mach test-tidy` does not report any errors - [x] These changes fix #15247 (github issue number if applicable). <!-- Either: --> - [ ] There are tests for these changes - [x] These changes do not require tests because cors is already tested with different origins These changes require changes in tests, but I need help with that (see comments below). <!-- Also, please make sure that "Allow edits from maintainers" checkbox is checked, so that we can help you if you get stuck somewhere along the way.--> <!-- Pull requests that do not address these steps are welcome, but they will require additional verification as part of the review process. --> <!-- Reviewable:start --> --- This change is [<img src="https://reviewable.io/review_button.svg" height="34" align="absmiddle" alt="Reviewable"/>](https://reviewable.io/reviews/servo/servo/16508) <!-- Reviewable:end -->
Properly set origin of fetch requests <!-- Please describe your changes on the following line: --> These changes aim to fix #15247 --- <!-- Thank you for contributing to Servo! Please replace each `[ ]` by `[X]` when the step is complete, and replace `__` with appropriate data: --> - [x] `./mach build -d` does not report any errors - [x] `./mach test-tidy` does not report any errors - [x] These changes fix #15247 (github issue number if applicable). <!-- Either: --> - [ ] There are tests for these changes - [x] These changes do not require tests because cors is already tested with different origins These changes require changes in tests, but I need help with that (see comments below). <!-- Also, please make sure that "Allow edits from maintainers" checkbox is checked, so that we can help you if you get stuck somewhere along the way.--> <!-- Pull requests that do not address these steps are welcome, but they will require additional verification as part of the review process. --> <!-- Reviewable:start --> --- This change is [<img src="https://reviewable.io/review_button.svg" height="34" align="absmiddle" alt="Reviewable"/>](https://reviewable.io/reviews/servo/servo/16508) <!-- Reviewable:end -->
Properly set origin of fetch requests <!-- Please describe your changes on the following line: --> These changes aim to fix #15247 --- <!-- Thank you for contributing to Servo! Please replace each `[ ]` by `[X]` when the step is complete, and replace `__` with appropriate data: --> - [x] `./mach build -d` does not report any errors - [x] `./mach test-tidy` does not report any errors - [x] These changes fix #15247 (github issue number if applicable). <!-- Either: --> - [ ] There are tests for these changes - [x] These changes do not require tests because cors is already tested with different origins These changes require changes in tests, but I need help with that (see comments below). <!-- Also, please make sure that "Allow edits from maintainers" checkbox is checked, so that we can help you if you get stuck somewhere along the way.--> <!-- Pull requests that do not address these steps are welcome, but they will require additional verification as part of the review process. --> <!-- Reviewable:start --> --- This change is [<img src="https://reviewable.io/review_button.svg" height="34" align="absmiddle" alt="Reviewable"/>](https://reviewable.io/reviews/servo/servo/16508) <!-- Reviewable:end -->
Properly set origin of fetch requests <!-- Please describe your changes on the following line: --> These changes aim to fix #15247 --- <!-- Thank you for contributing to Servo! Please replace each `[ ]` by `[X]` when the step is complete, and replace `__` with appropriate data: --> - [x] `./mach build -d` does not report any errors - [x] `./mach test-tidy` does not report any errors - [x] These changes fix #15247 (github issue number if applicable). <!-- Either: --> - [ ] There are tests for these changes - [x] These changes do not require tests because cors is already tested with different origins These changes require changes in tests, but I need help with that (see comments below). <!-- Also, please make sure that "Allow edits from maintainers" checkbox is checked, so that we can help you if you get stuck somewhere along the way.--> <!-- Pull requests that do not address these steps are welcome, but they will require additional verification as part of the review process. --> <!-- Reviewable:start --> --- This change is [<img src="https://reviewable.io/review_button.svg" height="34" align="absmiddle" alt="Reviewable"/>](https://reviewable.io/reviews/servo/servo/16508) <!-- Reviewable:end -->
Properly set origin of fetch requests <!-- Please describe your changes on the following line: --> These changes aim to fix #15247 --- <!-- Thank you for contributing to Servo! Please replace each `[ ]` by `[X]` when the step is complete, and replace `__` with appropriate data: --> - [x] `./mach build -d` does not report any errors - [x] `./mach test-tidy` does not report any errors - [x] These changes fix #15247 (github issue number if applicable). <!-- Either: --> - [ ] There are tests for these changes - [x] These changes do not require tests because cors is already tested with different origins These changes require changes in tests, but I need help with that (see comments below). <!-- Also, please make sure that "Allow edits from maintainers" checkbox is checked, so that we can help you if you get stuck somewhere along the way.--> <!-- Pull requests that do not address these steps are welcome, but they will require additional verification as part of the review process. --> <!-- Reviewable:start --> --- This change is [<img src="https://reviewable.io/review_button.svg" height="34" align="absmiddle" alt="Reviewable"/>](https://reviewable.io/reviews/servo/servo/16508) <!-- Reviewable:end -->
In https://github.com/servo/servo/blob/master/components/script/fetch.rs#L60 we have:
which sets the origin of the request to be the origin of the request url (that is, the resource being fetched) rather than the origin of the requester. This means that when we come to do the same-origin test https://github.com/servo/servo/blob/master/components/net/fetch/methods.rs#L211:
all fetches are considered to be same-origin. This is not a good security feature!
IRC chat with @Manishearth and @KiChjang: http://logs.glob.uno/?c=mozilla%23servo&s=26+Jan+2017&e=26+Jan+2017#c600706
The text was updated successfully, but these errors were encountered: