Bug 1755317 - [remote] Only validate origin headers if BiDi is enable…

…d r=webdriver-reviewers,whimboo When BiDi is disabled, skip the origin header check to support existing CDP clients. Differential Revision: https://phabricator.services.mozilla.com/D138705
dothq · Feb 16, 2022 · 45ba1a8 · 45ba1a8
1 parent 4f8cc77
commit 45ba1a8
Show file tree

Hide file tree

Showing 2 changed files with 49 additions and 8 deletions.
diff --git a/remote/server/WebSocketHandshake.jsm b/remote/server/WebSocketHandshake.jsm
@@ -109,14 +109,19 @@ function isIPAddress(uri) {
  * Sec-WebSocket-Accept response header.
  */
 function processRequest({ requestLine, headers }) {
-  const origin = headers.get("origin");
-
-  // A "null" origin is exceptionally allowed in browser mochitests.
-  const isTestOrigin = origin === "null" && nullOriginAllowed;
-  if (headers.has("origin") && !isTestOrigin) {
-    throw new Error(
-      `The handshake request has incorrect Origin header ${origin}`
-    );
+  // Enable origin header checks only if BiDi is enabled to avoid regressions
+  // for existing CDP consumers.
+  // TODO: Remove after Bug 1750689 until we can specify custom hosts & origins.
+  if (RemoteAgent.webDriverBiDi) {
+    const origin = headers.get("origin");
+
+    // A "null" origin is exceptionally allowed in browser mochitests.
+    const isTestOrigin = origin === "null" && nullOriginAllowed;
+    if (headers.has("origin") && !isTestOrigin) {
+      throw new Error(
+        `The handshake request has incorrect Origin header ${origin}`
+      );
+    }
   }
 
   const hostHeader = headers.get("host");

diff --git a/testing/web-platform/mozilla/tests/webdriver/new_session/debugger_address.py b/testing/web-platform/mozilla/tests/webdriver/new_session/debugger_address.py
@@ -2,6 +2,8 @@
 
 import pytest
 
+from http.client import HTTPConnection
+
 from tests.support.http_request import HTTPRequest
 from . import using_context
 
@@ -70,3 +72,37 @@ def test_debugger_address_true_fission_override(session):
             session.execute_script("""return Services.appinfo.fissionAutostart""")
             is True
         )
+
+
+@pytest.mark.parametrize("origin", [None, "", "sometext", "http://localhost:1234"])
+@pytest.mark.capabilities(
+    {
+        "moz:debuggerAddress": True,
+        "moz:firefoxOptions": {
+            "prefs": {
+                "remote.active-protocols": 2,
+            }
+        },
+    }
+)
+def test_origin_header_allowed_when_bidi_disabled(session, origin):
+    debugger_address = session.capabilities.get("moz:debuggerAddress")
+    assert debugger_address is not None
+
+    url = f"http://{debugger_address}/json/version"
+
+    conn = HTTPConnection(debugger_address)
+    conn.putrequest("GET", url)
+
+    if origin is not None:
+        conn.putheader("Origin", origin)
+
+    conn.putheader("Connection", "upgrade")
+    conn.putheader("Upgrade", "websocket")
+    conn.putheader("Sec-WebSocket-Key", "dGhlIHNhbXBsZSBub25jZQ==")
+    conn.putheader("Sec-WebSocket-Version", "13")
+    conn.endheaders()
+
+    response = conn.getresponse()
+
+    assert response.status == 200