Skip to content
This repository has been archived by the owner on Jan 17, 2023. It is now read-only.

Commit

Permalink
WIP: Try to fix #3581, make Screenshots work with third party cookies…
Browse files Browse the repository at this point in the history
… disabled

This adds a second attempt to login to wantsauth logins, one that runs in sitehelper.js, and tries to get the cookie set on a request that appears to come from the content page itself.

Unfortunately this doesn't work, as the XMLHttpRequest acts like it comes from a moz-extension URL and not the page, so it's still treated as a third party cookie.
  • Loading branch information
ianb committed Oct 6, 2017
1 parent 76109c2 commit ca01150
Show file tree
Hide file tree
Showing 4 changed files with 48 additions and 2 deletions.
9 changes: 8 additions & 1 deletion addon/webextension/background/auth.js
Original file line number Diff line number Diff line change
Expand Up @@ -200,12 +200,19 @@ this.auth = (function() {

communication.register("getAuthInfo", (sender, ownershipCheck) => {
return registrationInfoFetched.then(() => {
return exports.authHeaders();
}).then((authHeaders) => {
let info = registrationInfo;
if (info.registered) {
return login({ownershipCheck}).then((result) => {
return {isOwner: result && result.isOwner, deviceId: registrationInfo.deviceId};
return {
isOwner: result && result.isOwner,
deviceId: registrationInfo.deviceId,
authHeaders
};
});
}
info = Object.assign({authHeaders}, info);
return info;
});
});
Expand Down
25 changes: 25 additions & 0 deletions addon/webextension/sitehelper.js
Original file line number Diff line number Diff line change
Expand Up @@ -20,13 +20,38 @@ this.sitehelper = (function() {
document.dispatchEvent(new CustomEvent(name, {detail}));
}

/** Set the cookie, even if third-party cookies are disabled in this browser
(when they are disabled, login from the background page won't set cookies) */
function sendBackupCookieRequest(authHeaders) {
// We want this to be sent as though it is sent by the page, which will make
// the cookie NOT a third party cookie:
let MyXMLHttpRequest = document.defaultView.XMLHttpRequest;
// FIXME: seems impossible to get an XMLHttpRequest that acts as though the
// content page is what made the request
console.log("using xmlhttprequest:", MyXMLHttpRequest, XMLHttpRequest === MyXMLHttpRequest);
let req = new MyXMLHttpRequest();
req.open("POST", "/api/set-login-cookie");
for (let name in authHeaders) {
req.setRequestHeader(name, authHeaders[name]);
}
req.send("");
req.onload = () => {
if (req.status != 200) {
console.warn("Attempt to set Screenshots cookie via /api/set-login-cookie failed:", req.status, req.statusText, req.responseText);
} else {
console.log("Got a good response from setting cookie");
}
};
}

document.addEventListener("delete-everything", catcher.watchFunction((event) => {
// FIXME: reset some data in the add-on
}, false));

document.addEventListener("request-login", catcher.watchFunction((event) => {
let shotId = event.detail;
catcher.watchPromise(callBackground("getAuthInfo", shotId || null).then((info) => {
sendBackupCookieRequest(info.authHeaders);
sendCustomEvent("login-successful", {deviceId: info.deviceId, isOwner: info.isOwner});
}));
}));
Expand Down
3 changes: 2 additions & 1 deletion server/src/middleware/csrf.js
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,8 @@ function isCsrfExemptPath(path) {
return isAuthPath(path)
|| path.startsWith("/data")
|| path === "/event"
|| path === "/error";
|| path === "/error"
|| path === "/api/set-login-cookie";
}

function csrfHeadersValid(req) {
Expand Down
13 changes: 13 additions & 0 deletions server/src/server.js
Original file line number Diff line number Diff line change
Expand Up @@ -587,6 +587,19 @@ app.post("/api/login", function(req, res) {
});
});

app.post("/api/set-login-cookie", function(req, res) {
if (!req.deviceId) {
sendRavenMessage(req, "Attempt to set login cookie without authentication");
simpleResponse(res, "Not logged in", 401);
return;
}
sendAuthInfo(req, res, {
deviceId: req.deviceId,
accountId: req.accountId,
userAbTests: req.abTests
});
});

app.put("/data/:id/:domain", upload.single('blob'), function(req, res) {
let slowResponse = config.testing.slowResponse;
let failSometimes = config.testing.failSometimes;
Expand Down

0 comments on commit ca01150

Please sign in to comment.