546385 - incorrect handling of https redirects

Status: RESOLVED DUPLICATE of bug 492558

(Firefox :: General, defect)

Description

[herrmann]

User-Agent:       Opera/9.80 (X11; Linux i686; U; de) Presto/2.2.15 Version/10.10
Build Identifier: 

If a proxy server denies access to a certain https site and delivers an error page instead, firefox don't show the error page. Instead firefox notifies the user, that the proxy rejects the connection. 

While the proxies error page may tell the user exactly, why the connection was rejected and how to change this behaviour, the dumb firefox message let's the user as helpless as the helpdesk.

This behaviour is grotesque, since if the proxy redirects to an url, firefox don't warn the user about this redirection but opens the redirected url.

Reproducible: Always

Steps to Reproduce:
1. Block a certain https url on a proxy server and send an error message instead
2. configure firefox to use this proxy server as ssl proxy
3. try to open a site on the blocked url
Actual Results:  
firefox shows an own completely useless error message

Expected Results:  
firefox may show a warning - but at least should show the proxies error page too

Comment 1

[Jo Hermans]

As far as I remember, the behavior depends on the *length* of the error-page. If it's too short, you see the built-in error message (a 404 or whatever it is). Note that this message will be in the language of the user that is browsing, not the one from the server (normally English). If it's larger that a certain threshold, then you see the test that is sent by the server, under the assumption that is is customized by the webserver (can contain site specif info, links ...).

In case of a redirect, that's something else. If's it's a 301, 303 or 307 redirect, then there's no message at all, the browser must load it without showing anything to the user. Some servers show a 404 or similar, but hide a redirect in the html-code inside. Depending on the behavior described above, that redirect might be taken or not. And then you also have proxies or webservers that return a complete normal (200) page potentially with a html-redirect inside, without any indication that it's really an error.

What error message (error number, message, ...) was send in your case ?

Comment 2

[herrmann]

> As far as I remember, the behavior depends on the *length* of the error-page.
> If it's too short, you see the built-in error message (a 404 or whatever it
> is).

The server sends a HTTP/1.0 403 Forbidden with a detailed description. Even if I blow the error message up to 100 kB, Firefox shows the built-in message.
 
> In case of a redirect, that's something else. If's it's a 301, 303 or 307
> redirect, then there's no message at all, the browser must load it without
> showing anything to the user.
 [...]
> What error message (error number, message, ...) was send in your case ?

When the server don't send an error message but a redirection, it sends a 302 Found. In this case firefox works completely as expected and opens the website provided by the 'Location'-Header.

Comment 3

[herrmann]

> The server sends a HTTP/1.0 403 Forbidden with a detailed description. Even if
> I blow the error message up to 100 kB, Firefox shows the built-in message.

As mentioned in my initial bug report, this behaviour occurs only, if the proxy server blocks access to an ssl encrypted website. If an unencrypted site is blocked and the proxy sends out the very same error message, Firefox will show it as expected.

So I guess this behaviour is not caused by the way, Firefox handles error messages in general. It seems to be some strange built in security measure.

Comment 4

[Matthias Versen [:Matti]]

Do you mean bug 492558 ?

Comment 5

[herrmann]

(In reply to comment #4)
> Do you mean bug 492558 ?

Indeed, you are right. I only wonder, why this bug reports don't show up, if I search the bug data base for the term 'proxy'.

Comment 6

[Matthias Versen [:Matti]]

marking as dupe