Skip to content

/ servo

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

correctly send secure cookies after hsts url match #9780

Merged
merged 4 commits into from Mar 9, 2016
Merged

correctly send secure cookies after hsts url match #9780

merged 4 commits into from Mar 9, 2016

Conversation

@bobthekingofegypt
Copy link
Contributor

bobthekingofegypt commented Feb 27, 2016

Fixes #8100, where sites in the hsts list were not recieving secure
cookies if the site was originally loading using a plain http url.

Review on Reviewable
@bobthekingofegypt
correctly send secure cookies after hsts url match
Loading status checks…
759099c 
Fix for #8100, where sites in the hsts list were not recieving secure
cookies if the site was originally loading using a plain http url.
@highfive
Copy link

highfive commented Feb 27, 2016

Thanks for the pull request, and welcome! The Servo team is excited to review your changes, and you should hear from @mbrubeck (or someone else) soon.
@jdm jdm mentioned this pull request Feb 27, 2016
Open
@jdm
Copy link
Member

jdm commented Feb 27, 2016

Thank you for finding and solving this! I've filed #9783 to ensure we're not making this mistake in other places, too.
@jdm
Copy link
Member

jdm commented Feb 27, 2016

@bors-servo: r+
@bors-servo
Copy link
Contributor

bors-servo commented Feb 27, 2016

📌 Commit 759099c has been approved by jdm
@bors-servo
Copy link
Contributor

bors-servo commented Feb 27, 2016

Testing commit 759099c with merge 32bed54...
bors-servo added a commit that referenced this pull request Feb 27, 2016
@bors-servo
Auto merge of #9780 - bobthekingofegypt:github_hsts_bug, r=jdm
32bed54 
correctly send secure cookies after hsts url match

Fix for #8100, where sites in the hsts list were not recieving secure
cookies if the site was originally loading using a plain http url.

<!-- Reviewable:start -->
[<img src="https://reviewable.io/review_button.svg" height="40" alt="Review on Reviewable"/>](https://reviewable.io/reviews/servo/servo/9780)
<!-- Reviewable:end -->
@bors-servo
Copy link
Contributor

bors-servo commented Feb 27, 2016

💔 Test failed - mac-rel-wpt
@jdm
Copy link
Member

jdm commented Feb 27, 2016 

  ▶ Unexpected subtest result in /XMLHttpRequest/anonymous-mode-unsupported.htm:
  │ FAIL [expected PASS] XMLHttpRequest: anonymous mode unsupported
  │   → assert_equals: The deprecated anonymous:true should be ignored, cookie sent anyway expected "cookie: test=anonymous-mode-unsupported\n" but got ""
  │ 
  │ client.onreadystatechange<@http://web-platform.test:8000/XMLHttpRequest/anonymous-mode-unsupported.htm:22:13
  │ Test.prototype.step@http://web-platform.test:8000/resources/testharness.js:1381:20
  └ Test.prototype.step_func/<@http://web-platform.test:8000/resources/testharness.js:1405:1

We should look into why this test now fails with this change.
@bobthekingofegypt
refactor http_loader hostname/htst order
Loading status checks…
06ffdd6 
Changed hostname rewrite to happen inside obtain response after any htst
changes.  Removed  url from load leaving just doc_url to avoid confusion
@bobthekingofegypt
Copy link
Contributor Author

bobthekingofegypt commented Mar 1, 2016

As discussed on IRC, the test was failing due to the hostname being modified by the HOST file entry in the test runner. This meant the cookies were incorrectly failing to match the host in the updated request cookies method, and not being sent.

Tried updating the code to move hostname changes inside obtain_response and remove the duplicate urls.

Ran this against the unit tests and WPT tests, I get some failures and timeouts on WPT but I get the same failures on master. I tried to test github site itself but I can't seem to press the final login button as the browser won't react to it.
components/net/http_loader.rs Outdated
@@ -632,7 +632,7 @@ pub fn obtain_response<A>(request_factory: &HttpRequestFactory<R=A>,
if let Some(pipeline_id) = *pipeline_id {
send_request_to_devtools(
devtools_chan.clone(), request_id.clone().into(),
url.clone(), method.clone(), request_headers.clone(),
connection_url.clone(), method.clone(), request_headers.clone(),

This comment has been minimized.

Sign in to view
Copy link
@jdm

jdm Mar 2, 2016

Member

This should be using url instead.
@jdm
Copy link
Member

jdm commented Mar 2, 2016

This looks great, with one small change necessary!
tests/unit/net/http_loader.rs Outdated
let cookie = Cookie::new_wrapped(
cookie_pair,
&cookie_url,
CookieSource::NonHTTP

This comment has been minimized.

Sign in to view
Copy link
@jdm

jdm Mar 2, 2016

Member

Let's make this HTTP as well, or else it's pretty confusing to read.
@bobthekingofegypt
send correct url to devtool on request
17e6007 
Send url that was not modified by the hosts file to the dev tools
@bobthekingofegypt
create cookie as HTTP instead of NonHttp in test
Loading status checks…
248e84e 
Cleanup for readability and correctness of unit test in http_loader
@jdm
Copy link
Member

jdm commented Mar 9, 2016

@bors-servo: r+
Thanks!
@bors-servo
Copy link
Contributor

bors-servo commented Mar 9, 2016

📌 Commit 248e84e has been approved by jdm
@bors-servo
Copy link
Contributor

bors-servo commented Mar 9, 2016

Testing commit 248e84e with merge 162e89d...
bors-servo added a commit that referenced this pull request Mar 9, 2016
@bors-servo
Auto merge of #9780 - bobthekingofegypt:github_hsts_bug, r=jdm
Loading status checks…
162e89d 
correctly send secure cookies after hsts url match

Fixes #8100, where sites in the hsts list were not recieving secure
cookies if the site was originally loading using a plain http url.

<!-- Reviewable:start -->
[<img src="https://reviewable.io/review_button.svg" height="40" alt="Review on Reviewable"/>](https://reviewable.io/reviews/servo/servo/9780)
<!-- Reviewable:end -->
@bors-servo
Copy link
Contributor

bors-servo commented Mar 9, 2016

☀️ Test successful - android, gonk, linux-dev, linux-rel, mac-dev-unit, mac-rel-css, mac-rel-wpt, status-appveyor
@bors-servo bors-servo merged commit 248e84e into servo:master Mar 9, 2016
2 checks passed
2 checks passed
continuous-integration/travis-ci/pr The Travis CI build passed
Details
homu Test successful
Details
@bors-servo bors-servo mentioned this pull request Mar 9, 2016
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@jdm jdm

Labels
S-awaiting-merge
Projects
None yet
Milestone
No milestone
Linked issues

Successfully merging this pull request may close these issues.

None yet

4 participants
@bobthekingofegypt @highfive @jdm @bors-servo
You can’t perform that action at this time.