-
-
Notifications
You must be signed in to change notification settings - Fork 108
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sec fetch breaks snappymail #99
Comments
Seems like this check looks for header HTTP_SEC_FETCH_SITE. In case browser versions come into play with compatibility, the browser being used is Firefox 91.0a1 nightly build 20210710094507 |
Yes, it's a work in progress to implement (only safari doesn't support it yet). |
Thanks - In case it's helpful - I checked on both Firefox nightly and chrome dev they both show |
It works here with Chromium 90.0.4430.212, Firefox 89.0.2 (has no Sec-Fetch) and Firefox 91.0b2. The problem i encountered were:
In both cases the Sec-Fetch-User is set and i will relax the security for these cases. |
In my case I either:
Is it possible in latter case to get 'none' ? The fail I saw yesterday was the first scenario - which shouldn't have happened right - I'm happy to test any changes. |
With latest commit c46a28a it is now crashing with :
Should this have APC -> APCU maybe? thanks, |
Thank you for fixing so quickly - all seems ok now. |
Hi! I recently upgraded to snappymail 2.6.0 and everything is working fine on desktop PCs. However, on mobile (Mozilla Firefox on Android, latest stable Version from Play Store), I'm greeted with this error: "Disallowed Sec-Fetch-Site: cross-site". Could you please take a look again at this? Or should I open a new issue? |
Works for me using firefox nightly - would you mind trying that to eliminate older firefox as cause? thanks |
to confirm - both desktop and phone are on same network for this right? Anything of use in web server logs by chance? |
Both, desktop and phone are on the same network. The only difference in the server logs (nginx) is, that the first and only request from the phone is replied with a 403 error whereas the same first request from desktop is replied with 200 (I obfuscated the source IP):
|
I've tried now with the latest release of Mozilla Firefox from Github https://github.com/mozilla-mobile/fenix/releases/tag/v91.1.0, same error:
|
@m-i-k-e-y Somehow your requests don't match correctly.
I know this security is useless when a MitM modifies the headers. I've made a change in the above mentioned commit to trace your issue a bit better. |
Aside: Agree re MitM, but every bit helps strengthen the overall security. Its also a good idea to use a different CSP for different web server locations - i.e. very stringent policy for everywhere its not needed and lighter policy where its needed, If possible require password login for those areas with milder CSP. |
I'll test later after working hours and will let you know the outcome. |
@the-djmaze
I've downloaded and tried with the latest Firefox Nightly from the PlayStore, too. But it makes no difference, Nightly shows the same behaviour. Only Desktop works for me. |
https://www.w3.org/TR/fetch-metadata/#sec-fetch-user-header
Are you not directly accessing https://mail.i*.*/ but through a redirect of some-kind? |
#99 (comment) This should prevent security error on visiting "index" in any way, but keep security on any sub-request
I am directly accessing the domain. Either by typing the address or by using a bookmark stored in the profile. There is only a redirect from http to https for the domain on the server side. |
Your latest commit seems to do the trick. I could access snappymail now with 3 different versions of Firefox on Android: Next stable version from Github:
Nightly from PlayStore:
Current stable version from PlayStore on an older device:
Thanks a lot! |
Sorry these last two commits should belong to #96 |
Commit 2a44aea causes Snappymail to exit with
'Invalid Sec-Fetch
Reverting this commit and it works as usual.
I don't follow what it's actually doing - but the domain has valid certs. Web server is nginx. We use :
The mail app runs with same domain as home page.
Shy of reverting this commit, what is your recommendation?
thanks
The text was updated successfully, but these errors were encountered: