Closed Bug 205947 Opened 22 years ago Closed 21 years ago

Proxy: MailNews does not display proxy auth dialog

Categories

(SeaMonkey :: MailNews: Message Display, defect)

Product:
SeaMonkey
Component:
MailNews: Message Display
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: grant.fengstad, Assigned: mscott)

References

Details

Attachments

(2 files, 5 obsolete files)

mailnews-proxy-auth-2.patch (aviary)
12.51 KB, patch
vlad
: review+
vlad
: superreview+
vlad
: approval-aviary+
roc
: approval1.7.5+
Details | Diff | Splinter Review
mailnews-proxy-patch-2.patch (trunk)
12.44 KB, patch
Details | Diff | Splinter Review
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4b) Gecko/20030514 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4b) Gecko/20030514 I am configured to use a proxy in order to access Internet based content and services. This proxy requires authentication upon first use. When I open up the mail client and open an email that contains Internet based content (ie: images, etc.), they never load. The mail/news client does not invoke the proxy authentication routine when attempting to load Internet based content. If I go to the browser and then direct a session to the Internet, I am prompted for authentication within the browser. Once authenticated, the mailnews client works like a charm. Reproducible: Always Steps to Reproduce: 1.Open Mozilla (MailNews Client) 2.Open email that references internet based content 3.Content is not displayed
We can confirm this behaviour. We also noticed and reported the identical behaviour in current Thunderbird builds. Unfortunately, with Thunderbird being a standalone mail program, there is no similar workaround.
I can also confirm that this is a regression introduced after Mozilla 1.4RC1, as it works properly in that build. Please elevate the priority of this bug as it disables Thunderbird from displaying HTML mail with embedded links to external web sites. We would be pleased to assist in testing a patch for this issue through our proxy servers.
Flagging this bug for thunderbird. Unfortunately I don't have access to proxy servers to try to debug this so that makes it extremely hard! Any java script errors showing up in the JS console when you try this?
Assignee: sspitzer → scott
Status: UNCONFIRMED → NEW
Ever confirmed: true
No, no errors in the JS console or anywhere else. It just never tries to do the proxy authentication.
*** Bug 217799 has been marked as a duplicate of this bug. ***
Mozilla Thunderbird 0.5a (20040105) still exhibits this behaviour. Clicking the Thunderbird icon (top right) launches a proxy challenge. The default browser (Firebird 0.7) is launched, but returning to Thunderbird and refresing the message, it still doesn't display.
As expected, this MailNews client issue was not resolved when we switched from the Sun Proxy server to Squid proxy on Linux. The Mozilla MailNews client still does not issue a proxy challenge when e-mail with external links is received. At the bottom of this post is a sample html message exhibiting this behaviour. Using Mozilla 1.6, a proxy challenge can be generated by asking the web browser to go to an external web site. Once this has been done, a refresh of the mail message allows everything to display as expected. ============================================================================== Sample mail message illustrating this bug: ============================================================================== Return-path: <M8jAMwIBAQAGZLIACAAAAAAEL6/q8w@cnl08.b.tep1.com> Received: from proxy2.komatsu.ca (proxy2.komatsu.ca [XXX.XXX.XXX.XXX]) by messenger.komatsu.ca (iPlanet Messaging Server 5.2 HotFix 1.12 (built Feb 13 2003)) with SMTP id <JS4L08PH7AKS4N02YW@messenger.komatsu.ca> for wbayer@ims-ms-daemon; Fri, 06 Feb 2004 11:28:44 -0500 (Eastern Standard Time) Received: From out005.toptp.com ([38.113.202.25]) by proxy2.komatsu.ca (WebShield SMTP v4.5 MR1a P0803.345) ; id 1076084922979; Fri, 06 Feb 2004 11:28:42 -0500 Date: Fri, 06 Feb 2004 08:13:31 -0800 From: FurnitureFan <Newsletter@FurnitureFan.com> Subject: Furniture Newsletter To: wbayer@komatsu.ca Errors-to: M8jAMwIBAQAGZLIACAAAAAAEL6/q8w@cnl08.b.tep1.com Reply-to: Newsletter@FurnitureFan.com Message-id: <1911963319-1463792638-1076084043@cnl08.b.tep1.com> MIME-version: 1.0 Content-type: multipart/alternative; boundary=1249438995.1463793406.1076084022 Original-recipient: rfc822;wbayer@komatsu.ca --1249438995.1463793406.1076084022 Content-Type: text/plain FurnitureFan.com The Furniture Directory If you cannot view this message, please visit: http://cnl08.c.tep1.com/maabU98aa4aGXa6Xxhne/ Romancing Your bedroom This Valentines Day rekindle the magic and escape your every day life. Create a seductive environment by transforming your space with any of these elegant hand-crafted items from Oakwood Interiors. See more bedroom http://cnl08.c.tep1.com/maabU98aa4aGYa6Xxhne/ Oakwood Interiors - Alder Rose Mansion Bed http://cnl08.c.tep1.com/maabU98aa4aGZa6Xxhne/ Build your dreams piece by piece with the Alder Rose Mansion Collection from Oakwood Interiors. American made of solid wood, this collection will stand the test of time with its quality and exceptional design. Alder Rose Vanity http://cnl08.c.tep1.com/maabU98aa4aG0a6Xxhne/ Alder Rose Night Stand http://cnl08.c.tep1.com/maabU98aa4aG1a6Xxhne/ ==================================================================== Update your profile here: http://cnl08.u.tep1.com/survey/?a2i7O3.a6Xxhn.d2JheWVy Unsubscribe here: http://cnl08.u.tep1.com/survey/?a2i7O3.a6Xxhn.d2JheWVy.u Delivered by Topica Email Publisher, http://www.email-publisher.com/ --1249438995.1463793406.1076084022 Content-Type: text/html MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>FurnitureFan Consumer Newsletter</title> <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Diso-8859-= 1"> <style type=3D"text/css"> <!-- .mnav { font-family: Arial, Helvetica, sans-serif; font-size: 12px; font-weight: bold; font-variant: normal; color: #333333; padding: 8px; text-align: left; font-style: normal; line-height: normal; word-spacing: 7px; border-top: 1px; border-right: 1px; border-bottom: 1px; border-left: 1px; background-color: #F3F1E4; } a:link { color: #666666; text-decoration: none; } a:visited { color: #666666; text-decoration: none; } a:hover { color: #666666; text-decoration: underline; } a:active { color: #666666; text-decoration: none; } .greenbox { border: 1px solid #D1CCA4; } .T1 { font-family: Arial, Helvetica, sans-serif; font-size: 10pt; color: #333333; line-height: 20px; } .t2 { font-family: Arial, Helvetica, sans-serif; font-size: 9.5pt; color: #333333; width: 220px; text-align: left; padding: 3px; } .t3 { font-family: Arial, Helvetica, sans-serif; font-size: 9pt; color: #333333; } .t4 { font-family: Arial, Helvetica, sans-serif; font-size: 8.6pt; color: #303030; padding: 5px; font-weight: bold; text-align: center; } .white-top { border-top-width: 1px; border-top-style: solid; border-top-color: #FFFFFF; } --> </style> </head> <body leftmargin=3D"0" topmargin=3D"0"> <table width=3D"630" border=3D"0" align=3D"center" cellpadding=3D"0" cellsp= acing=3D"0"> <tr>=20 <td><FONT face=3D"Arial, Helvetica, sans-serif" size=3D1><a href=3D"htt= p://cnl08.c.tep1.com/maabU98aa4aGy= a6Xxhne/">If=20 you cannot view this message, please visit: http://www.furniturefan.c= om/ECP/jumppage.aspx?linkid=3D3608</a><br> To continue receiving your FurnitureFan Newsletter without interrupti= on,=20 please add =93Newsletter@FurnitureFan.com=94 to <br> your email Address Book.</FONT></td> </tr> <tr>=20 <td><a href=3D"http://cnl08.c.tep1.com/maabU98aa4aGz= a6Xxhne/"><img src=3D"http://www2.furniturefan.com/ecp/cn/0013/images/Furni= tureFan.gif" width=3D"180" height=3D"34" border=3D"0"></a></td> </tr> <tr>=20 <td class=3D"mnav"><div align=3D"center"><a href=3D"http://cnl08.c.tep1= .com/maabU98aa4aGA= a6Xxhne/">Living=20 Room</a> <font color=3D"#972D38">|</font> <a href=3D"http://cnl08.c= .tep1.com/maabU98aa4aGB= a6Xxhne/">Dining=20 Room</a> <font color=3D"#972D38">|</font> <a href=3D"http://cnl08.c= .tep1.com/maabU98aa4aGC= a6Xxhne/">Bedroom</a>=20 <font color=3D"#972D38">|</font> <a href=3D"http://cnl08.c.tep1.com= /maabU98aa4aGD= a6Xxhne/">Entertainment</a>=20 <font color=3D"#972D38">|</font> <a href=3D"http://cnl08.c.tep1.com= /maabU98aa4aGE= a6Xxhne/">Kids</a>=20 <font color=3D"#972D38">|</font> <a href=3D"http://cnl08.c.tep1.com= /maabU98aa4aGF= a6Xxhne/">Office</a>=20 <font color=3D"#972D38">|</font> <a href=3D"http://cnl08.c.tep1.com= /maabU98aa4aGG= a6Xxhne/">Accent=20 Furniture</a></div></td> </tr> <tr>=20 <td height=3D"5" bgcolor=3D"#FFFFFF">&nbsp;</td> </tr> <tr>=20 <td class=3D"greenbox"><table width=3D"630" border=3D"0" cellspacing= =3D"3" cellpadding=3D"0"> <tr>=20 <td width=3D"276" valign=3D"top" bgcolor=3D"E7E2C8"> <table width= =3D"276" border=3D"0" cellspacing=3D"0" cellpadding=3D"0"> <tr>=20 <td><img src=3D"http://www.furniturefan.com/ecp/cn/0016/ima= ges/bnr.gif" width=3D"276" height=3D"94"></td> </tr> <tr>=20 <td style=3D"padding-left: 15px; padding-right:15px; paddin= g-top:4px; padding-bottom:15px"><div class=3D"t1">=20 <p>This Valentines Day rekindle the magic and escape yo= ur=20 every day life. Create a seductive environment by tra= nsforming=20 your space with any of these elegant hand-crafted ite= ms=20 from <strong>Oakwood Interiors</strong>.</p> </div></td> </tr> <tr>=20 <td style=3D"padding-top:4px; padding-bottom:15px; padding-= left:5px;"><a href=3D"http://cnl08.c.tep1.com/maabU98aa4aGH= a6Xxhne/"><img src=3D"http://www.furniturefan.com/ecp/cn/0016/images/furnit= ure.gif" width=3D"259" height=3D"59" border=3D"0"></a></td> </tr> </table></td> <td align=3D"left" valign=3D"top"> <div align=3D"left">=20 <table width=3D"350" height=3D"100%" border=3D"0" cellpadding= =3D"0" cellspacing=3D"2"> <tr>=20 <td><a href=3D"http://cnl08.c.tep1.com/maabU98aa4aGJ= a6Xxhne/"><img src=3D"http://www.furniturefan.com/ecp/cn/0016/images/oakwoo= d_bed.jpg" width=3D"350" height=3D"340" border=3D"0"></a></td> </tr> </table> </div></td> </tr> </table></td> </tr> <tr>=20 <td height=3D"5"></td> </tr> <tr>=20 <td bgcolor=3D"972D38" class=3D"greenbox"><table width=3D"630" border= =3D"0" cellspacing=3D"0" cellpadding=3D"0"> <tr>=20 <td width=3D"117"><a href=3D"http://cnl08.c.tep1.com/maabU98aa4aG= L= a6Xxhne/"><img src=3D"http://www.furniturefan.com/ecp/cn/0016/images/oakwoo= d_vanity2.jpg" width=3D"117" height=3D"150" border=3D"0"></a></td> <td width=3D"125" align=3D"right"><a href=3D"http://cnl08.c.tep1.= com/maabU98aa4aGO= a6Xxhne/"><img src=3D"http://www.furniturefan.com/ecp/cn/0016/images/oakwoo= d_chest3.jpg" width=3D"124" height=3D"150" border=3D"0"></a></td> <td class=3D"T1" style=3D"padding-left:15px;"><font color=3D"E7E2= C8"><img src=3D"http://www.furniturefan.com/ecp/cn/0016/images/furniture_fa= n7.gif" width=3D"335" height=3D"30"><br> with the Alder Rose Mansion Collection from Oakwood Interiors. = American=20 made of solid wood, this collection will stand the test of time= with=20 its quality and exceptional design.</font></td> </tr> </table></td> </tr> <tr> <td><div align=3D"center"><font color=3D"#333333" size=3D"1" face=3D"Ar= ial, Helvetica, sans-serif">FurnitureFan.com=20 142 North Rd., Sudbury, MA 01776</font></div></td> </tr> </table> <img src=3D"http://www.furniturefan.com/ECP/jumppage.aspx?linkid=3D3593">= =20 <!-- 0x0fa9bafd8b87adf4ab0a121bfdabe341000 --> <img src=3D"http://cnl08.c.tep1.com/naabU98aa4aGQ= a6Xxhne/" width=3D1 height=3D1> <!-- 0x012390fa6570193887fff02398eeaa99283 --> <!-- Begin Footer --> <P> <CENTER> <FONT STYLE=3D"font: 10px Verdana, Sans-Serif;" FACE=3D"Verdana, Sa= ns-Serif" SIZE=3D"-1"> <A HREF=3D"http://cnl08.u.tep1.com/survey/?a2i7O3.= a6Xxhn.= d2JheWVy">Update your profile</A> or <A HREF=3D"http://cnl08.u.tep1.com/survey/?a2i7O3.= a6Xxhn.= d2JheWVy.u">unsubscribe</A> here. </FONT> </CENTER> <CENTER><FONT STYLE=3D"font: 10px verdana, sans-serif;" FACE=3D"Verdana, Sa= ns-Serif" SIZE=3D"-1"> Delivered by <A HREF=3D"http://www.email-publisher.com/">Topica Email Publi= sher</a> </font></center> </body> </html> --1249438995.1463793406.1076084022-- ============================================================================== We are willing to test a patch once available. Regards, Bill
Darin do you remember any changes to our proxy code going in after 1.4 RC1? I'll start searching the 1.4 branch checkins since we should have branched before RC1 was released.
Scott: the proxy servers I used to use got RIF'd, so if you want me to look at this, I can scheme about configuring something for mozilla.org. Grant: can you see if password manager functions as a workaround? This might solve your problem, it also might help understand what is going on.
QA Contact: esther → benc
Summary: MailNews Client does not prompt for proxy authentication upon first load → Proxy: MailNews does not display proxy auth dialog
Yikes! Is this bug still a problem? Sounds pretty major.
(In reply to comment #10) > Yikes! Is this bug still a problem? Sounds pretty major. I confirmed this problem persists using the Windows Mozilla Thunderbird 0.5+ (20040312) build on Windows 2000, both with the "Automatic proxy configurarion URL" selected under Advanced Options or using manual proxy preferences. We have both the Linux Squid and Netscape 3.6 proxy servers. Also seen on occasion (however difficult to replicate): The first time an external URL link in an e-mail message is clicked, Firefox 0.8 (also configured with the "Automatic proxy configurarion URL" option) is started, however no proxy challenge appears. Clicking the link a second time does result in the proxy challenge being initiated. We would like to assist in resolving this bug. Please advise how we can help.
Darin: I think you are going to need to decide if this needs to be fixed. In the context of 1.7, integrated products like Mozilla have a build in work-around. Scott: I do not closely track Thunderbird bugs, but I would strongly recommend fixing this before your next Thunderbird release.
Flags: blocking1.7?
Flags: blocking1.7? → blocking1.7+
this bug was caused by the security drill: http://bugzilla.mozilla.org/show_bug.cgi?id=51631 auth dialogs are disabled in all mail message windows because spammers would use it to force up a user/pwd dialog and get the user's name and password.
Here's where the docshell refuses to return an auth prompter if auth is turned off for this docshell instance: http://lxr.mozilla.org/seamonkey/source/docshell/base/nsDocShell.cpp#386 as you can see at this point in time we have no idea what kind of auth request we are being asked for (legit proxy or other).
*** Bug 221772 has been marked as a duplicate of this bug. ***
Question for Darin :) In fixing the big security bug, an attribute was added to nsIDocShell for blocking secure auth prompts. Instead of fixing all of the callers that try to get a nsIAuthPrompter from the docshell to bring up auth UI, it looks like we hide this in nsIDocShell::GetInterface. Failing to return the auth prompt if this flag has been set on the docshell. Of course GetInterface has no way of knowing what the auth prompt is going to be used for. In the case of a legitimate proxy request, we may want to allow it. Seems to me we could solve this a couple of ways: 1) Always return a nsIAuthPrompter, put the burden on the caller to check and see if they should be allowed to use the returned auth prompter. My fear here is that we make it too easy for the security hole to show back up for new code. 2) I wonder if we could have a special way for the http channel to still get the auth prompter even if the flag is set on the docshell object and the http channel (and just this channel) could check to see if we are doing proxy auth before actually using the auth prompt. 3) Remove nsIAuthPrompter from nsIDocShell::GetInterface. Make an explicit method for getting the auth prompt from a docshell. Force all callers to pass in a boolean flag for proxy which determines if we return an auth prompter or not. Any other ideas?
*** Bug 241846 has been marked as a duplicate of this bug. ***
Echoing comment #12, I would strongly recommend fixing this before your next Thunderbird release.
Scott: as we discussed before, you could consider supporting proxy via a fixed pref format. Take a look at Instant Messenger module of Netscape 7 in the prefs. Also, this bug seems to require the same changes as bug 112179, so maybe the combined advantages could make a case of implementing this.
This is a blocker for a major French account on Thunderbird. Mozilla Europe would *love* to see this bug fixed.
It is also blocking Glocalnet in Sweden.
Doesn't look like this is gonna happen for 1.7.
Flags: blocking1.7+ → blocking1.7-
looks like this is going to need some redesign to avoid security problems and still provide what it needed. we are going to have to put this off for 1.7 and try for 1.8, with the hope that a patch might be able to be back ported for 1.7.1 and tbird 1.0...
Flags: blocking1.8a2+
A major problem is that the nsIAuthPrompt implementation does not have sufficient context to determine whether or not to show a prompt. I think the solution to this bug lies in improving the nsIAuthPrompt API so that it has sufficient context. In this case, that means telling the prompt whether or not it is being invoked for proxy auth. (I can think of other bits of information that would be valuable for other bugs too... like the degree of password protection.) If nsIAuthPrompt were modified so that necko could pass more context to the prompter, then we would just need to modify the prompter implementation that is used by mailnews.
Hmm, changing nsIAuthPrompt sounds like it wouldn't be possible to backport to the long-lived stable branch.
well, we could also invent nsIAuthPrompt2. necko could try to use nsIAuthPrompt2 and fallback to using nsIAuthPrompt if it cannot get a nsIAuthPrompt2 implementation. we could continue disabling support for nsIAuthPrompt in mailnews.
Seems to me this is also blocking RSS support in Thunderbird. When adding a rss feed, Thunderbird will try to validate the provided URL, it never finishes.
Flags: blocking1.8a4?
Attached patch mailnews-proxy-auth-0.patch (obsolete) — Splinter Review
How's this for an attempt? I added a nsIAuthPromptRequestor interface that takes flags indicating what type of auth request is wanted (well, just 0 or 1 for now, other flags in the future as necessary). nsHttpChannel then tries to get this interface first and use it to get an nsIAuthPrompt with flags; otherwise it falls back to just doing a GetInterface. The only problem I see is I don't see how this approach (or any other) maintains the lockdown which caused this problem in the first place -- nsHttpChannel decides whether to tell AuthPromptRequester it wants a proxy auth dialog based on its is proxyAuth flag, which is set if the HTTP response code is 407 as opposed to 401. This means that all a malicious site would have to do would be to return a 407 instead of a 401, and HttpChannel would have no way of knowing whether it came from a legitimate proxy or not. Not sure how to fix this or even if we can; we can maybe ensure that there was a proxy configured and that the auth request is coming from there, but that'll fail in the (admittedly slightly contrived) case of a transparent http proxy that wants auth.
Comment on attachment 157248 [details] [diff] [review] mailnews-proxy-auth-0.patch Darin, could you take a look at this? Or please suggest another reviewer if you're not the best person :) See comments above for patch notes.
Attachment #157248 - Flags: review?(darin)
Vlad: this patch makes sense to me. I haven't done a thorough review yet, but I too am concerned about the 407 from origin server case. Currently, we prevent exposing cached proxy credentials when a 407 occurs over a non-proxy connection. We just treat the 407 as coming from the origin server instead of from the proxy server. That affects the password manager key used, which affects what is prefilled in the auth prompt. But, we preserve the fact that this is a proxy auth attempt. We should probably set proxyAuth to false inside nsHttpChannel::GetCredentialsForChallenge at the right place to be consistent. I'll need to read the RFCs again to be sure, but I think we can probably assume that 407 can only rightfully be generated by an explicit proxy server. Transparent proxies are probably not permitted to generate that error code, although folks may be abusing that restriction in the real world.
Something like this? As long as any legitimate proxy eats any 407's that it receives itself from a site, this should be fine -- does the spec require that?
Comment on attachment 157248 [details] [diff] [review] mailnews-proxy-auth-0.patch if you do want to go down a route like this, I would instead change nsIAuthPrompt to add a "boolean isProxyAuth" param, or something like that. that interface is suboptimal anyway, with requiring to pass the entire dialog text to it...
If we add the isProxyAuth param to nsIAuthPrompt then perhaps we don't need nsIAuthPromptRequestor. I assumed the point of nsIAuthPromptRequestor was to avoid having to change nsIAuthPrompt. Is that not right?
(In reply to comment #33) > If we add the isProxyAuth param to nsIAuthPrompt then perhaps we don't need > nsIAuthPromptRequestor. I assumed the point of nsIAuthPromptRequestor was to > avoid having to change nsIAuthPrompt. Is that not right? That's correct (I actually typed up a reply earlier this morning, but just now notice that the bugzilla tab is sitting at the password prompt..) It seems cleaner to follow the current practice of not giving out a nsIAuthPrompt at all if the user shouldn't be prompted; hence the Requestor, with added flags. Otherwise, the decision whether to display a prompt or not has to be moved into a nsIAuthPrompt implementation.
At some point, I do wish to provide a better nsIAuthPrompt. We should give the prompt the knowledge that it is prompting for proxy auth vs. normal auth, etc. But, there are many other things that should be included in a reworking of such an interface. For now, I'm happy with nsIAuthPromptRequestor. It could be a low risk addition to the stable branches too.
this is going to be a very welcome fix for the aviary branch!
Take a hard line and reject 407 when proxy server not configured. This is consistent with IE.
Attachment #157339 - Attachment is obsolete: true
Comment on attachment 157248 [details] [diff] [review] mailnews-proxy-auth-0.patch >+[scriptable, uuid(129d3bd5-8a26-4b0b-b8a0-19fdea029196)] >+interface nsIAuthPromptRequestor : nsISupports >+{ >+ /* Normal (non-proxy) prompt request. */ >+ const PRUint32 PROMPT_NORMAL = 0; >+ >+ /* Proxy auth request. */ >+ const PRUint32 PROMPT_PROXY = 1; >+ >+ /** >+ * Request a nsIAuthPrompt interface for the given flags; >+ * throws NS_ERROR_FAILURE if no prompt is allowed or >+ * available for the given reason. >+ */ >+ nsIAuthPrompt requestAuthPrompt(in PRUint32 aPromptReason); >+}; please create a new IDL file for this interface, and provide a summary comment of some sort. use doxygen style commenting for params and exceptions. should this be named nsIAuthPromptProvider instead? oh, i guess nsIAuthPromptRequestor corresponds to nsIInterfaceRequestor, so maybe getAuthPrompt to correspond with getInterface? whatever ;-) >Index: docshell/base/nsDocShell.cpp >+nsDocShell::RequestAuthPrompt (PRUint32 aPromptReason, nsIAuthPrompt **aResult) GNU whitespace alert! "when in rome, stay in rome" :-) >+{ >+ // a priority prompt request will override a false mAllowAuth setting >+ PRBool priorityPrompt = PR_FALSE; >+ >+ if (aPromptReason & nsIAuthPromptRequestor::PROMPT_PROXY) >+ priorityPrompt = PR_TRUE; maybe this: priorityPrompt = aPromptReason & nsIAuthPromptRequestor::PROMPT_PROXY; >Index: netwerk/protocol/http/src/nsHttpChannel.cpp >@@ -2304,22 +2304,37 @@ nsHttpChannel::PromptForIdentity(const c >+ if (proxyAuth) >+ rv = authPromptRequestor->RequestAuthPrompt (nsIAuthPromptRequestor::PROMPT_PROXY, getter_AddRefs(authPrompt)); >+ else >+ rv = authPromptRequestor->RequestAuthPrompt (nsIAuthPromptRequestor::PROMPT_NORMAL, getter_AddRefs(authPrompt)); nit: please fix whitespace and put a linebreak somewhere in those long lines. >+ >+ if (NS_FAILED(rv)) >+ return NS_ERROR_NO_INTERFACE; no need to assign or check rv really. the !authPrompt check down below is good enough, no? also, how about making only one call to RequestAuthPrompt? store the prompt type in a variable, and then make only one call. help the compiler optimize a bit ;-) >+ } else { >+ GetCallback(NS_GET_IID(nsIAuthPrompt), getter_AddRefs(authPrompt)); >+ } please keep braces consistent with the rest of this file, which means: } else GetCallback(NS_GET_IID(nsIAuthPrompt), getter_AddRefs(authPrompt));
Attachment #157248 - Flags: review?(darin) → review-
(In reply to comment #33) > I assumed the point of nsIAuthPromptRequestor was to > avoid having to change nsIAuthPrompt. Is that not right? (In reply to comment #34) > It seems cleaner to follow the current practice of not giving out a > nsIAuthPrompt at all if the user shouldn't be prompted; those are good points. so, nevermind comment 32. :) Index: netwerk/base/public/nsIAuthPrompt.idl + * throws NS_ERROR_FAILURE if no prompt is allowed or + * available for the given reason. if no prompt is available, maybe NS_ERROR_NOT_AVAILABLE would be better? :) Index: docshell/base/nsDocShell.cpp + if (aPromptReason & nsIAuthPromptRequestor::PROMPT_PROXY) hm... wouldn't a reason be more like an enum, so that == would be a better comparison? +nsDocShell::RequestAuthPrompt (PRUint32 aPromptReason, nsIAuthPrompt **aResult) ... + *aResult = nsnull; + return NS_ERROR_FAILURE; shouldn't need to null out out params in failure cases
Blocks: 221772
nsIInterfaceRequestor is not an interface to emulate in form, function or spirit. (The requestor is the _caller_, not the object on which you're calling getInterface; likewise here. Nobody wants nsIAuthPromptRequestee, though -- we really care that it provides it, not that we can ask for it.)
(In reply to comment #40) > nsIInterfaceRequestor is not an interface to emulate in form, function or > spirit. (The requestor is the _caller_, not the object on which you're calling > getInterface; likewise here. Nobody wants nsIAuthPromptRequestee, though -- we > really care that it provides it, not that we can ask for it.) So, nsIAuthPromptProvider? Maybe nsIAuthMeHarder? I'm open to suggestions. :)
*** Bug 221772 has been marked as a duplicate of this bug. ***
Comment on attachment 157455 [details] [diff] [review] v2 patch for nsHttpChannel::ProcessAuthentication >- if (proxyAuth) >+ if (proxyAuth) { >+ // only allow a proxy challenge if we have a proxy server configured. >+ // otherwise, we could inadvertantly expose the user's proxy >+ // credentials to an origin server. We could attempt to proceed as >+ // if we had received a 401 from the server, but why risk flirting >+ // with trouble? IE similarly rejects 407s when a proxy server is >+ // not configured, so there's no reason not to do the same. >+ if (!mConnectionInfo->UsingHttpProxy()) { >+ LOG(("rejecting 407 when proxy server not configured!\n")); >+ return NS_ERROR_UNEXPECTED; >+ } > challenges = mResponseHead->PeekHeader(nsHttp::Proxy_Authenticate); >+ } > else > challenges = mResponseHead->PeekHeader(nsHttp::WWW_Authenticate); Brace the else to match the then? (Or is that not this Rome's style?) >- if (proxyAuth && mConnectionInfo->UsingHttpProxy()) { >+ if (proxyAuth) { > host = mConnectionInfo->ProxyHost(); > port = mConnectionInfo->ProxyPort(); > ident = &mProxyIdent; > scheme.AssignLiteral("http"); > } How would you feel about an assertion there? I'll see your belt, and raise you some suspenders!
Attachment #157455 - Flags: superreview+
(In reply to comment #43) > (From update of attachment 157455 [details] [diff] [review]) > > >- if (proxyAuth) > >+ if (proxyAuth) { > >+ // only allow a proxy challenge if we have a proxy server configured. > >+ // otherwise, we could inadvertantly expose the user's proxy > >+ // credentials to an origin server. We could attempt to proceed as > >+ // if we had received a 401 from the server, but why risk flirting > >+ // with trouble? IE similarly rejects 407s when a proxy server is > >+ // not configured, so there's no reason not to do the same. > >+ if (!mConnectionInfo->UsingHttpProxy()) { > >+ LOG(("rejecting 407 when proxy server not configured!\n")); > >+ return NS_ERROR_UNEXPECTED; > >+ } > > challenges = mResponseHead->PeekHeader(nsHttp::Proxy_Authenticate); > >+ } > > else > > challenges = mResponseHead->PeekHeader(nsHttp::WWW_Authenticate); > > Brace the else to match the then? (Or is that not this Rome's style?) No; the Romans are filthy heathens, it looks like. > >- if (proxyAuth && mConnectionInfo->UsingHttpProxy()) { > >+ if (proxyAuth) { > > host = mConnectionInfo->ProxyHost(); > > port = mConnectionInfo->ProxyPort(); > > ident = &mProxyIdent; > > scheme.AssignLiteral("http"); > > } > > How would you feel about an assertion there? I'll see your belt, and raise you > some suspenders! Sounds good to me; I've rolled in darin's patch into the next one I'll post and can make this change (or I can unroll it, if you'd prefer to r them separately, but..)
Comment on attachment 157455 [details] [diff] [review] v2 patch for nsHttpChannel::ProcessAuthentication r=me, but doesn't the return NS_ERROR_UNEXPECTED; possibly trigger the superfluous auth warning, which would not really be the right thing here?
Attachment #157455 - Flags: review+
> r=me, but doesn't the return NS_ERROR_UNEXPECTED; possibly trigger the > superfluous auth warning, which would not really be the right thing here? of course, that only applies if the URL contains a userpass.
vlad: combining the patches sounds good to me (less to manage when it comes time to land this on the branches). shaver's assertion "suspender" sounds reasonable too.
Attached patch mailnews-proxy-auth-1.patch (obsolete) — Splinter Review
Updated patch, with comments incorporated and darin's 407 patch rolled in.
Attachment #157543 - Flags: superreview?(shaver)
Attachment #157543 - Flags: review?(darin)
Comment on attachment 157543 [details] [diff] [review] mailnews-proxy-auth-1.patch >Index: netwerk/base/public/nsIAuthPromptProvider.idl nit: how about a descriptive comment at the top of this file? >+ * throws NS_ERROR_NOT_AVAILABLE if no prompt is allowed or >+ * available for the given reason. nit: use @throws instead? >Index: netwerk/protocol/http/src/nsHttpChannel.cpp >+ PRUint32 promptReason = nsIAuthPromptProvider::PROMPT_NORMAL; >+ if (proxyAuth) >+ promptReason = nsIAuthPromptProvider::PROMPT_PROXY; nit: use |if (a) x=y; else x=z;| instead? r=darin
Attachment #157543 - Flags: review?(darin) → review+
> nit: use |if (a) x=y; else x=z;| instead? Nit on nit: use x = (a) ? y : z; instead, instead? ;-) /be
*** Bug 248617 has been marked as a duplicate of this bug. ***
*** Bug 257636 has been marked as a duplicate of this bug. ***
Easy workaround for those who suffer - is to press reply on that HTML message, Composer window does display proxy auth dialog. After that all gets to normall behavior untill mail client restart. Maybe this info would help you solve this?
Comment on attachment 157543 [details] [diff] [review] mailnews-proxy-auth-1.patch I still want those suspenders, punk. sr=shaver aviary+ on the basis of mscott's excitement above!
Attachment #157543 - Flags: superreview?(shaver)
Attachment #157543 - Flags: superreview+
Attachment #157543 - Flags: approval-aviary+
Attachment #157455 - Attachment is obsolete: true
Attachment #157543 - Attachment is obsolete: true
Comment on attachment 157679 [details] [diff] [review] mailnews-proxy-auth-2.patch (aviary) Carrying flags forward.. r=darin, sr=shaver, a=shaver/mscott
Attachment #157679 - Flags: superreview+
Attachment #157679 - Flags: review+
Attachment #157679 - Flags: approval-aviary+
I meant this patch, really (didn't fix the nits in the last one!)
Attachment #157679 - Attachment is obsolete: true
Comment on attachment 157680 [details] [diff] [review] mailnews-proxy-auth-2.patch (aviary) (Real) patch for aviary; carrying flags forward r=darin,sr=shaver,a=shaver/mscott
Attachment #157680 - Flags: superreview+
Attachment #157680 - Flags: review+
Attachment #157680 - Flags: approval-aviary+
in on trunk and aviary; let me know if it's wanted for 1.7 branch.
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
> in on trunk and aviary; let me know if it's wanted for 1.7 branch. gecko changes so yeah.. probably something that should be ported to the 1.7 branch for consistency with the aviary branch. moreover, the necko patch tightens up security a bit, which is probably reason enough to backport this patch.
Attachment #157680 - Flags: approval1.7.x? → approval1.7.x+
Flags: blocking1.8a4?
Blocks: 267367
Product: Browser → Seamonkey
*** Bug 232856 has been marked as a duplicate of this bug. ***
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: