All users were logged out of Bugzilla on October 13th, 2018

MSE is not supported on HTTP version of youtube.com

RESOLVED FIXED in Firefox 36

Status

()

RESOLVED FIXED
4 years ago
4 years ago

People

(Reporter: unghost, Assigned: bugs)

Tracking

(Blocks: 1 bug, {clownshoes})

unspecified
mozilla38
clownshoes
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox36+ fixed, firefox37 fixed, firefox38 fixed)

Details

Attachments

(6 attachments)

(Reporter)

Description

4 years ago
STR:
1) Install Firefox 36.0beta
2) Open http://www.youtube.com/html5

Expected result:
MSE is supported

Actual result:
MSE is not supported

Looks like it was deliberate decision to restrict MSE to HTTPS version of youtube.com in Bug 1112761 comment 7, but youtube.com is not https-only site. I've already have 2 questions on support forum "Why maximum resolution of youtube videos is so low?"
(Reporter)

Updated

4 years ago
No longer blocks: 1112761
Depends on: 1112761
MSE doesn't work on Youtube at all in Firefox 35, right?  Is the situation in 36beta worse than the situation in 35 on http://www.youtube.com/html5 ?
Flags: needinfo?(unghost)
(Reporter)

Comment 2

4 years ago
(In reply to Boris Zbarsky [:bz] from comment #1)
> MSE doesn't work on Youtube at all in Firefox 35, right?  Is the situation
> in 36beta worse than the situation in 35 on http://www.youtube.com/html5 ?
Situation in Firefox 36 Beta is worse than the situation in Firefox 35 for non-SSL Youtube Firefox users, cause Google has disabled Flash fallback in Youtube for Firefox 36 and higher.
Flags: needinfo?(unghost)
(Reporter)

Comment 3

4 years ago
Created attachment 8554313 [details]
http://www.youtube.com/html5 in Firefox 35

http://www.youtube.com/html5 in Firefox 35. You can click on big black button to switch to Flash for Youtube.
(Reporter)

Comment 4

4 years ago
Created attachment 8554315 [details]
http://www.youtube.com/html5 in Firefox 36

http://www.youtube.com/html5 in Firefox 36. There is no Flash fallback.
(Reporter)

Updated

4 years ago
Attachment #8554313 - Attachment description: 35.0.png → http://www.youtube.com/html5 in Firefox 35
> cause Google has disabled Flash fallback in Youtube for Firefox 36 and higher

Uh... on Windows only, or on all OSes?

Though also, wait.  How are you loading http://www.youtube.com/html5 at all?  For me that sends an HTTP 301 to <https://www.youtube.com/html5>; does it not do that for you?
Flags: needinfo?(unghost)
(Reporter)

Comment 6

4 years ago
Created attachment 8554391 [details]
Screenshot of load of http://www.youtube.com/html5

(In reply to Out 2014-01-26 from comment #5)
> > cause Google has disabled Flash fallback in Youtube for Firefox 36 and higher
> 
> Uh... on Windows only, or on all OSes?
It's disabled on Linux too. I don't have Mac.

 
> Though also, wait.  How are you loading http://www.youtube.com/html5 at all?
> For me that sends an HTTP 301 to <https://www.youtube.com/html5>; does it
> not do that for you?

It sends HTTP 200 for me. See screenshot. "host www.youtube.com" in Linux shows:

www.youtube.com is an alias for youtube-ui.l.google.com.
youtube-ui.l.google.com is an alias for www-wide.l.google.com.
www-wide.l.google.com has address 74.125.205.199
www-wide.l.google.com has IPv6 address 2a00:1450:4010:c08::c7
Flags: needinfo?(unghost)
> It's disabled on Linux too.

Well, we definitely didn't enable MSE on Linux in 36.  Sounds like someone miscommunicated something to Google....
Flags: needinfo?(ajones)
Sheila, Chris, et al, we need to dig in here and understand what's going on here and likely reach out to youtube.com and make sure we don't leave firefox users in a spot where they can't play youtube videos at all.
Major issue, tracking.
status-firefox36: --- → affected
status-firefox37: --- → affected
status-firefox38: --- → affected
tracking-firefox36: --- → +

Comment 10

4 years ago
Jet has been taking the lead working with Youtube, NI him to talk to them.
Flags: needinfo?(bugs)
(Assignee)

Comment 11

4 years ago
Created attachment 8557172 [details] [diff] [review]
http.patch

Remove https://* restriction from the youtube domain check.
Attachment #8557172 - Flags: review?(kinetik)

Comment 12

4 years ago
Alexander, please see if I am confirming this bug properly, as I'm using a Russian proxy who's site is mostly in Russian (which I am only reading via google translate):
Visiting these sites through the Russian Proxy (I used: http://anonymizer.ru/ until it asked me to pay for it and then http://ipv4server.com/)
* http://www.youtube.com/html5 - I see MSE being "not supported"
* https://www.youtube.com/html5 - I see MSE being "not supported"
* http://www.youtube.com/watch?v=42piJ1ZXUVo - I can verify that I'm getting served a flash video (Dash=no in "stats for nerds")
* https://www.youtube.com/watch?v=42piJ1ZXUVo - I am still getting a flash video (Dash=no)

If I browse to this without the proxy (coming from the USA) I get MSE/HTML5 video.

This looks more to me like Youtube.com is putting in a region filter rather than a protocol filter. Verified that we were still sending the Firefox UA string, so I don't believe the proxy was messing with us, but Alexander, if you're willing to double check my findings from where you are in the world, I would really appreciate it.  Thank you.
Flags: needinfo?(unghost)
Jet, are we confident enough in the security aspects of our MSE impl to expose it to attackers?  That was the part that was unclear to me in bug 1112761.  Any coffeeshop wireless can pretend to be http://youtube.com.

Also, note the discussion above about non-Windows platforms...
(Assignee)

Comment 14

4 years ago
(In reply to Boris Zbarsky [:bz] from comment #13)
> Jet, are we confident enough in the security aspects of our MSE impl to
> expose it to attackers?  That was the part that was unclear to me in bug
> 1112761.  Any coffeeshop wireless can pretend to be http://youtube.com.

This is a valid concern. We need to understand exactly when youtube falls back to http and why. The answer to that should guide the path forward for my patch.

> Also, note the discussion above about non-Windows platforms...

Yes, the request for YouTube is to re-enable Flash fallback if MSE is not available, and Flash is, in Firefox 36.
Attachment #8557172 - Flags: review?(kinetik) → review+
(Reporter)

Comment 15

4 years ago
(In reply to Clint Talbert ( :ctalbert ) from comment #12)
> Alexander, please see if I am confirming this bug properly, as I'm using a
> Russian proxy who's site is mostly in Russian (which I am only reading via
> google translate):
> Visiting these sites through the Russian Proxy (I used:
> http://anonymizer.ru/ until it asked me to pay for it and then
> http://ipv4server.com/)
> * http://www.youtube.com/html5 - I see MSE being "not supported"
> * https://www.youtube.com/html5 - I see MSE being "not supported"
> * http://www.youtube.com/watch?v=42piJ1ZXUVo - I can verify that I'm getting
> served a flash video (Dash=no in "stats for nerds")
> * https://www.youtube.com/watch?v=42piJ1ZXUVo - I am still getting a flash
> video (Dash=no)
> 
> If I browse to this without the proxy (coming from the USA) I get MSE/HTML5
> video.
> 
> This looks more to me like Youtube.com is putting in a region filter rather
> than a protocol filter. Verified that we were still sending the Firefox UA
> string, so I don't believe the proxy was messing with us, but Alexander, if
> you're willing to double check my findings from where you are in the world,
> I would really appreciate it.  Thank you.

I see MSE being "not supported" on http://www.youtube.com/html5 and MSE being "supported" on https://www.youtube.com/html5. I'm going to attach 2 screenshots of Firefox 36.0b5 (en-US locale) on Windows 8.1. My internet provider is based in Moscow, Russia.
Flags: needinfo?(unghost)
(Reporter)

Comment 16

4 years ago
Created attachment 8557329 [details]
http://www.youtube.com/html5 (MSE is not supported)

http://www.youtube.com/html5 (MSE is not supported)
(Reporter)

Comment 17

4 years ago
Created attachment 8557330 [details]
https://www.youtube.com/html5 (MSE is supported)

https://www.youtube.com/html5 (MSE is supported)

Comment 18

4 years ago
(In reply to Boris Zbarsky [:bz] from comment #5)
> For me that sends an HTTP 301 to <https://www.youtube.com/html5>; does it
> not do that for you?

http://www.youtube.com/html5 does NOT redirect to https://www.youtube.com/html5 here
- Beta firefox-36.0b5.en-US.linux64
- Nightly 2015-01-27-03-02-30-mozilla-central-firefox-38.0a1.ru.linux-x86_64
unless I use HTTPS Everywhere
Comment hidden (typo)
Jet is on PTO so I landed his HTTP patch on mozilla-inbound:

https://hg.mozilla.org/integration/mozilla-inbound/rev/e93e124f3e91
Blocks: 1112761
status-firefox38: affected → fixed
No longer depends on: 1112761
Comment on attachment 8557172 [details] [diff] [review]
http.patch

Approval Request Comment
[Feature/regressing bug #]: bug 1112761
[User impact if declined]: Pre-release channel users in some parts of the world using non-HTTPS YouTube will have a bad YouTube experience because they can't use MSE or Flash video.
[Describe test coverage new/current, TreeHerder]:
[Risks and why]: YouTube disabled Flash video for Beta 36+ but bug 1112761 restricted MSE video to HTTPS. When YouTube reenables their Flash fallback for non-MSE browsers, we can revisit whether MSE should be HTTPS only.
[String/UUID change made/needed]: None
Attachment #8557172 - Flags: approval-mozilla-beta?
Attachment #8557172 - Flags: approval-mozilla-aurora?
https://hg.mozilla.org/mozilla-central/rev/e93e124f3e91
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla38
Attachment #8557172 - Flags: approval-mozilla-beta?
Attachment #8557172 - Flags: approval-mozilla-beta+
Attachment #8557172 - Flags: approval-mozilla-aurora?
Attachment #8557172 - Flags: approval-mozilla-aurora+
https://hg.mozilla.org/releases/mozilla-aurora/rev/5a89d54ef5e9
https://hg.mozilla.org/releases/mozilla-beta/rev/db97d9b88b1a
status-firefox36: affected → fixed
status-firefox37: affected → fixed
Keywords: clownshoes
Flags: needinfo?(ajones)
(Assignee)

Updated

4 years ago
Flags: needinfo?(bugs)
You need to log in before you can comment on or make changes to this bug.