Closed Bug 1093466 Opened 10 years ago Closed 8 years ago

AVAST has started interfering with Youtube videos, causing Cross-Origin Request Blocked errors on console

Categories

(Firefox :: Untriaged, defect)

Product:
Firefox
Component:
Untriaged
Platform:
x86_64
Windows 8.1
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: dgjunk, Unassigned)

Details

(Keywords: regression)

Attachments

(1 file)

console spam
20.50 KB, text/plain
Details
Attached file console spam 
I'm having a weird Youtube bug. If I'm not logged in, Youtube works most of the time (but not always, usually new Youtube tabs opened from links don't work).

But if I log in to my Google account, videos stop working (long time trying to load and finally "An error occured, please try again later") and console gets spammed of "Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at [verylongurlhere]. This can be fixed by moving the resource to the same domain or enabling CORS. videoplayback".

Odd thing is that this problem then persist after logging out, unless I purge all my google/youtube cookies and cache.

This seems to have appeared between changes https://hg.mozilla.org/mozilla-central/rev/a264cdd47217 - rev 213327 and https://hg.mozilla.org/mozilla-central/rev/12ac66e2c016 -rev 213418
Happens on 32 and 64 bit build on my Win 8.1 machine, but not on Linux builds/machines.

Tried disabling ipv6, no luck there. Tried new profile, no luck as soon as I logged in to Youtube.
And just after posting this it came to mind test with firewall/antivirus disabled. Seems to be a Avast caused problem. I wonder what it does to the video stream to cause this.
See also: bug 1092207, bug 1087674

Pushlog given comment #0: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=a264cdd47217&tochange=12ac66e2c016


If you redownload/rebuild the previously working cset, does that continue working without disabling avast?
Flags: needinfo?(dgjunk)
Keywords: regression
Summary: Youtube videos broken with Cross-Origin Request Blocked errors on console. → AVAST has started interfering with Youtube videos, causing Cross-Origin Request Blocked errors on console
... and/or, can you figure out what specific part of AVAST is breaking things here? Is the URL that gets CORS errors http:// or https:// ?
That smells issues with the HTTPS scanning of Avast 2015...
Many people have reported issues since the new version of Avast has been releases, like HTTPS websites partially rendered because CSS and images were missing because filtered by the HTTPS scanning of Avast. When you're logged in YT, some elements are sent via HTTPS (related to your account), that's why it doesn't work.
Yes, seems to be another victim of HTTPS scanning. With only it disabled on Web Shield settings, Youtube videos work again.

Although with even it disabled I got at least one Cross-Origin Request Blocked error on the console, but the video loaded apparently from another server/link. But that required me to browse through ~10 different videos to get that one error.
Flags: needinfo?(dgjunk)
Is there some more restrictive security stuff in the changes http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=a264cdd47217&tochange=12ac66e2c016 that would cause the https scanning to break? Because it works with the https://hg.mozilla.org/mozilla-central/rev/a264cdd47217 build but not on https://hg.mozilla.org/mozilla-central/rev/12ac66e2c016
FWIW today I was virtually locked out of google, youtube, bugzilla (yes here!), github and a bunch of other sites today, until I figured out to disable avast's HTTPS scanning. Apparently, it was "replacing" the security certificates of all of these sites with its own certificates, which firefox doesn't recognize:

> Issued By
> Common Name (CN): avast! Web/Mail Shield Root
> Organization (O): avast! Web/Mail Shield
> Organizational Unit (OU): generated by avast! antivirus for SSL/TLS scanning

From their forums [1]:
> Now, we are able to detect and decrypt TLS/SSL protected traffic in our Web-content filtering
> component. We are using our own generated certificates that are added into the Root Certificate
> store in Windows and also into major browsers. This feature will protect you against viruses coming
> through HTTPs traffic as well as adding compatibility for SPDY+HTTPS/ HTTP 2.0 traffic. You can
> tune/disable this feature in the settings section.

[1]https://forum.avast.com/index.php?topic=156508.0
Hi reporter,

Can you please try to reproduce this on the latest release(43.0.3) and latest Nightly (https://nightly.mozilla.org/) and provide the results? When doing this, please try to reproduce with a new clean Firefox profile, maybe even in safe mode, as some of this issues may be caused by third party installed add-ons or custom settings(https://support.mozilla.org/en-US/kb/troubleshoot-and-diagnose-firefox-problems).

Thanks,
Cipri
Flags: needinfo?(dgjunk)
Since the reporter didn't provide the requested information, I will mark this issue as RESOLVED INCOMPLETE. If you still encounter this problem, please feel free to reopen this bug, or file a new one.
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Flags: needinfo?(dgjunk)
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: