Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Inconsistency: DNR modifyHeaders supported headers #372

Open
sammacbeth opened this issue Apr 5, 2023 · 12 comments
Open

Inconsistency: DNR modifyHeaders supported headers #372

sammacbeth opened this issue Apr 5, 2023 · 12 comments
Labels
implemented: chrome Implemented in Chrome implemented: firefox Implemented in Firefox inconsistency Inconsistent behavior across browsers supportive: safari Supportive from Safari topic: dnr Related to declarativeNetRequest

Comments

@sammacbeth
Copy link

sammacbeth commented Apr 5, 2023

The DNR modifyHeaders rule action allows for request headers to be added, removed or modified. The current Chrome docs do not specify any limitation on which headers these rules can modify.

In fact, in Chrome and Firefox arbitrary header names are supported (apart from a list of forbidden header names) and can be modified by these rules. However, in Safari, only 'recognized' headers can specified in these rules. For example, take the following rule:

{
  id: 1,
  priority: 1,
  action: {
    type: "modifyHeaders",
    requestHeaders: [
      { header: "Sec-GPC", operation: "set", value: "1" },
    ],
  },
  condition: {
    urlFilter: "||global-privacy-control.glitch.me/",
    resourceTypes: ["main_frame", "sub_frame"],
  },
}

This rule is accepted and works as expected in Firefox and Chrome. However, in Safari, the following exception is thrown:

Invalid call to declarativeNetRequest.updateDynamicRules(). Error with rule at index 0: Rule with id 1 is invalid. The header `Sec-GPC` is not recognized.

This issue has also been submitted to Safari as Radar #FB12074761

@erosman
Copy link

erosman commented Apr 5, 2023

While on the subject, there are additional considerations:

@bershanskiy
Copy link
Member

In fact, in Chrome and Firefox it seems that arbitrary header names are supported and can be modified by these rules.

No, unfortunately Chrome and Firefox do have some limitations, these limitations are just not documented. There is a list somewhere in source code of both projects,but I couldn't find it in a quick glance.

Forbidden header name

Please note that different context may have different forbidden header names, e.g., https://bugs.chromium.org/p/chromium/issues/detail?id=595993

@sammacbeth
Copy link
Author

In fact, in Chrome and Firefox it seems that arbitrary header names are supported and can be modified by these rules.

No, unfortunately Chrome and Firefox do have some limitations, these limitations are just not documented. There is a list somewhere in source code of both projects,but I couldn't find it in a quick glance.

Forbidden header name

Please note that different context may have different forbidden header names, e.g., https://bugs.chromium.org/p/chromium/issues/detail?id=595993

Thanks, I updated the issue description to add that context.

@Rob--W Rob--W added topic: dnr Related to declarativeNetRequest inconsistency Inconsistent behavior across browsers labels Apr 6, 2023
@Rob--W
Copy link
Member

Rob--W commented Apr 6, 2023

I had added more context in a comment on crbug "Issue 1117475: DNR rules which add new headers are accepted inconsistently"

The "append" operation is now supported for a subset of changes since 108, as part of (non-public) issue 1355626.
The relevant changes are at https://chromium-review.googlesource.com/q/Ie5ef2bae40e7c3d1d04f284775d9a9c1044790ea and https://source.chromium.org/chromium/chromium/src/+/d377adec687d1d631fe7fea246706b51fdfea368

The test case from this bug report is still not addressed, because the "append" operation is only supported for a subset of explicitly supported headers, defined at https://cs.chromium.org/kDNRRequestHeaderAppendAllowList . The changes have not been documented.

While this is not documented in Chrome's DNR docs, I did document the inconsistency on MDN at: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/declarativeNetRequest/ModifyHeaderInfo#header_limits

@xeenon
Copy link
Collaborator

xeenon commented Apr 13, 2023

Safari is planning to add Sec-GPC to the allow list. We do have an allow list of headers that we check for any operation type.

@xeenon xeenon added supportive: safari Supportive from Safari follow-up: safari Needs a response from a Safari representative and removed needs-triage labels Apr 13, 2023
@Rob--W Rob--W added follow-up: chrome Needs a response from a Chrome representative implemented: firefox Implemented in Firefox labels Apr 13, 2023
@Rob--W
Copy link
Member

Rob--W commented Apr 13, 2023

follow-up: safari Needs a response from a Safari representative and follow-up: chrome Needs a response from a Chrome representative reflect the action item from today's meeting:

post a comment with the current behaviors (and intended behavior if any), so that we can have a common ground to start the discussion with

Firefox 113+ supports DNR without restrictions other than the Host request header: specifying a new value requires host permissions for the new host value (documented at https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/declarativeNetRequest/ModifyHeaderInfo#header_limits ). In particular, DNR extensions in Firefox can specify Sec- headers.

While not documented, usual restrictions from (request/response) headers apply. E.g. some headers don't permit multiple values, and an attempt to specify multiple results in unspecified behavior. E.g. appending Content-Type twice results in the value being set to the last specified value.

@rdcronin
Copy link
Collaborator

From the Chrome side, using a blocklist instead of an allowlist is intentional. We heard strong developer feedback that there were use cases where developers needed to add or modify custom headers, which could never be reasonably contained in an allowlist. While, in principle, we acknowledge that allowlists are preferable, we felt this was an important use case to support.

@oliverdunk
Copy link
Member

@xeenon, my understanding is that the implementation in Safari was based on the original behaviour in Chrome (which has now changed). Given that Chrome uses a deny list, would you be open to aligning?

@oliverdunk oliverdunk added supportive: chrome Supportive from Chrome implemented: chrome Implemented in Chrome and removed follow-up: chrome Needs a response from a Chrome representative supportive: safari Supportive from Safari supportive: chrome Supportive from Chrome labels Sep 13, 2023
@oliverdunk
Copy link
Member

In this case, we are using supportive/implemented to mean using a deny list for header names.

@xeenon
Copy link
Collaborator

xeenon commented Sep 13, 2023

Yeah, a deny list makes more sense to me.

@kiaraarose kiaraarose added supportive: safari Supportive from Safari and removed follow-up: safari Needs a response from a Safari representative labels Sep 13, 2023
@derjanb
Copy link

derjanb commented Jun 13, 2024

[...] We do have an allow list of headers that we check for any operation type.

In case someone stumbles upon it, this is Safari's allow list

@Rob--W
Copy link
Member

Rob--W commented Dec 4, 2024

FYI: Firefox already offers a read-only API to enable extensions to query whether the GPC is enabled (via privacy.network.globalPrivacyControl)

We are also supportive of making the API writable, i.e. to enable extensions to toggle GPC globally without requiring host permissions. More details can be found in https://bugzilla.mozilla.org/show_bug.cgi?id=1914861 and https://bugzilla.mozilla.org/show_bug.cgi?id=1914861#c2.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
implemented: chrome Implemented in Chrome implemented: firefox Implemented in Firefox inconsistency Inconsistent behavior across browsers supportive: safari Supportive from Safari topic: dnr Related to declarativeNetRequest
Projects
None yet
Development

No branches or pull requests

9 participants