Closed
Bug 845789
Opened 11 years ago
Closed 11 years ago
Mirror.co.uk Corrupted Content
Categories
(Tech Evangelism Graveyard :: English Other, defect)
Tech Evangelism Graveyard
English Other
Tracking
(Not tracked)
RESOLVED
WORKSFORME
People
(Reporter: tech4pwd, Unassigned)
Details
User Agent: Mozilla/5.0 (Windows NT 6.1; rv:22.0) Gecko/20130226 Firefox/22.0 Build ID: 20130226031002 Steps to reproduce: The page works fine in other browsers which then only drives users to other browsers.
Reporter | ||
Updated•11 years ago
|
Component: Untriaged → HTML: Parser
OS: Windows 7 → All
Product: Firefox → Core
Hardware: x86 → All
Comment 1•11 years ago
|
||
So loading http://www.mirror.co.uk/ shows a corrupted content error. It comes from the networking stack—not from the parser.
Status: UNCONFIRMED → NEW
Component: HTML: Parser → Networking: HTTP
Ever confirmed: true
Comment 2•11 years ago
|
||
I believe mulitple ACAO headers (see below) had a security implication. jduell was the expert.. HTTP/1.1 200 OK Access-Control-Allow-Origin: www.birminghammail.co.uk,www.dailypost.co.uk,tm gcms3,reg-cms1.birminghammail.co.uk:8080 Access-Control-Allow-Origin: http://rl.mirror.co.uk Access-Control-Allow-Origin: rl.mirror.co.uk Access-Control-Allow-Origin: http://s.mirror.co.uk Content-Type: text/html;charset=UTF-8 Server: Apache-Coyote/1.1 X-Cache-Hits: 6 X-Cacheable: YES X-RemovedCookies: YES X-Served-By: nat-cache1.tm-aws.com X-Varnish: 763588376 763582740 Content-Encoding: gzip Content-Length: 29257 Cache-Control: max-age=473 Expires: Wed, 27 Feb 2013 14:40:44 GMT Date: Wed, 27 Feb 2013 14:32:51 GMT Connection: keep-alive Vary: Accept-Encoding Vary: User-Agent
Comment 3•11 years ago
|
||
Yes, differing Access-Control-Allow-Origin headers is a spec violation and we block the violations as of bug 814117. You can put as many (comma-separated) hosts in the header as you like (as they've done in one of the headers in comment 2), but allowing more than one of these headers in a request creates a vulnerability for header injection attacks. So like bug 845273 and bug 840656, this should be fixed by the site. I'll contact them.
Assignee: nobody → english-other
Component: Networking: HTTP → English Other
Product: Core → Tech Evangelism
Comment 4•11 years ago
|
||
Contacted a potpourri of the emails listed on their site's masthead, as there's no clear tech support emai listed.
Comment 5•11 years ago
|
||
(In reply to Jason Duell (:jduell) from comment #3) > You can put as many > (comma-separated) hosts in the header as you like (as they've done in one of > the headers in comment 2) The note under http://www.w3.org/TR/cors/#access-control-allow-origin-response-header disagrees.
Comment 6•11 years ago
|
||
Indeed. Note that per HTTP ACAO: X ACAO: Y is identical to ACAO: X, Y
Comment 7•11 years ago
|
||
(In reply to Anne van Kesteren from comment #6) > Indeed. Note that per HTTP > > ACAO: X > ACAO: Y > > is identical to > > ACAO: X, Y but that's not a universal reality and has been acknowledged for a long time. Cookies for example cannot be coalesced and broken apart and still maintain operability. Sad, but true. The concern here (and with a couple other similar headers) is around header injection - http://en.wikipedia.org/wiki/HTTP_header_injection .. that's why we apply stricter semantics than the transport protocol itself allows for.
Comment 8•11 years ago
|
||
The CORS specification as defined assumes these semantics at least for that header (and some others) and its processing algorithms depend on it. CORS has required that multiple values be rejected since the start. I would appreciate to know the model of HTTP CORS should be written against. Do we effectively store headers as an ordered list of name-value pairs which can contain duplicate names? If that's the case I'll make sure the specification covers HTTP-related requirements in those terms instead.
Reporter | ||
Comment 9•11 years ago
|
||
Have we had any feedback from the Mirror? It is a national paper with a large online presence.
Comment 10•11 years ago
|
||
No, and I sent two separate emails to every address on their online contacts page. Anyone live in the UK and willing to give them a call?
Comment 11•11 years ago
|
||
Oooh wait. This is wrong. Access-Control-Allow-Origin header requirements should only be enforced during CORS requests. Just navigating to mirror.co.uk should work fine.
Assignee: english-other → nobody
Component: English Other → Networking
Product: Tech Evangelism → Core
Comment 12•11 years ago
|
||
Anne: thanks for the clarification. I've filed bug 847533 for being less restrictive in the check here. Meanwhile I want to keep this open as an evangelism bug--I suspect sites are going to want to fix this server-side for now, as we're very unlikely to provide a Firefox fix for this in less than 6 weeks, and they probably want their sites to work in the meantime.
Assignee: nobody → english-other
Component: Networking → English Other
Product: Core → Tech Evangelism
Comment 13•11 years ago
|
||
Hi all. Thank you very much for the heads up for this problem. The Access-Control-Allow-Origin header should now appear on a single line: # curl --HEAD http://www.mirror.co.uk/ HTTP/1.1 200 OK Date: Tue, 05 Mar 2013 10:59:10 GMT Server: Apache-Coyote/1.1 Content-Type: text/html;charset=UTF-8 Transfer-Encoding: chunked Set-Cookie: JSESSIONID=7E80910559E48AFA06F08613BFCA7268; Path=/ Cache-Control: max-age=600 Expires: Tue, 05 Mar 2013 11:09:11 GMT Access-Control-Allow-Origin: http://www.birminghammail.co.uk,http://www.dailypost.co.uk,http://s.mirror.co.uk,http://rl.mirror.co.uk
Comment 14•11 years ago
|
||
James, that is still bogus. Access-Control-Allow-Origin can only contain a single origin, anything else will fail CORS checks.
Comment 15•11 years ago
|
||
Hi Anne, Thanks for the reply. Unfortunately I just read http://www.w3.org/TR/cors/#list-of-origins and not the note elsewhere saying that in practice it is 1, null or *. In that case I guess it is just going to have to be *. Which makes me sad.
Comment 16•11 years ago
|
||
Site is working again. Thanks again for working with us on this--sorry we made life more difficult than it needed to be here.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → WORKSFORME
Updated•9 years ago
|
Product: Tech Evangelism → Tech Evangelism Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•