1125621 - MSE is not supported on HTTP version of youtube.com

Status: RESOLVED FIXED

(Core :: Audio/Video, defect)

Description

[Alexander L. Slovesnik]

STR:
1) Install Firefox 36.0beta
2) Open http://www.youtube.com/html5

Expected result:
MSE is supported

Actual result:
MSE is not supported

Looks like it was deliberate decision to restrict MSE to HTTPS version of youtube.com in Bug 1112761 comment 7, but youtube.com is not https-only site. I've already have 2 questions on support forum "Why maximum resolution of youtube videos is so low?"

Comment 1

[Boris Zbarsky [:bzbarsky]]

MSE doesn't work on Youtube at all in Firefox 35, right?  Is the situation in 36beta worse than the situation in 35 on http://www.youtube.com/html5 ?

Comment 2

[Alexander L. Slovesnik]

(In reply to Boris Zbarsky [:bz] from comment #1)
> MSE doesn't work on Youtube at all in Firefox 35, right?  Is the situation
> in 36beta worse than the situation in 35 on http://www.youtube.com/html5 ?
Situation in Firefox 36 Beta is worse than the situation in Firefox 35 for non-SSL Youtube Firefox users, cause Google has disabled Flash fallback in Youtube for Firefox 36 and higher.

Comment 3

[Alexander L. Slovesnik]

Attachment: http://www.youtube.com/html5 in Firefox 35

http://www.youtube.com/html5 in Firefox 35. You can click on big black button to switch to Flash for Youtube.

Comment 4

[Alexander L. Slovesnik]

Attachment: http://www.youtube.com/html5 in Firefox 36

http://www.youtube.com/html5 in Firefox 36. There is no Flash fallback.

Comment 5

[Boris Zbarsky [:bzbarsky]]

> cause Google has disabled Flash fallback in Youtube for Firefox 36 and higher

Uh... on Windows only, or on all OSes?

Though also, wait.  How are you loading http://www.youtube.com/html5 at all?  For me that sends an HTTP 301 to <https://www.youtube.com/html5>; does it not do that for you?

Comment 6

[Alexander L. Slovesnik]

Attachment: Screenshot of load of http://www.youtube.com/html5

(In reply to Out 2014-01-26 from comment #5)
> > cause Google has disabled Flash fallback in Youtube for Firefox 36 and higher
> 
> Uh... on Windows only, or on all OSes?
It's disabled on Linux too. I don't have Mac.

 
> Though also, wait.  How are you loading http://www.youtube.com/html5 at all?
> For me that sends an HTTP 301 to <https://www.youtube.com/html5>; does it
> not do that for you?

It sends HTTP 200 for me. See screenshot. "host www.youtube.com" in Linux shows:

www.youtube.com is an alias for youtube-ui.l.google.com.
youtube-ui.l.google.com is an alias for www-wide.l.google.com.
www-wide.l.google.com has address 74.125.205.199
www-wide.l.google.com has IPv6 address 2a00:1450:4010:c08::c7

Comment 7

[Boris Zbarsky [:bzbarsky]]

> It's disabled on Linux too.

Well, we definitely didn't enable MSE on Linux in 36.  Sounds like someone miscommunicated something to Google....

Comment 8

[Johnny Stenback (:jst)]

Sheila, Chris, et al, we need to dig in here and understand what's going on here and likely reach out to youtube.com and make sure we don't leave firefox users in a spot where they can't play youtube videos at all.

Comment 9

[Sylvestre Ledru [:Sylvestre]]

Major issue, tracking.

Comment 10

[cmtalbert]

Jet has been taking the lead working with Youtube, NI him to talk to them.

Comment 11

[Jet Villegas (inactive)]

Attachment: http.patch

Remove https://* restriction from the youtube domain check.

Comment 12

[cmtalbert]

Alexander, please see if I am confirming this bug properly, as I'm using a Russian proxy who's site is mostly in Russian (which I am only reading via google translate):
Visiting these sites through the Russian Proxy (I used: http://anonymizer.ru/ until it asked me to pay for it and then http://ipv4server.com/)
* http://www.youtube.com/html5 - I see MSE being "not supported"
* https://www.youtube.com/html5 - I see MSE being "not supported"
* http://www.youtube.com/watch?v=42piJ1ZXUVo - I can verify that I'm getting served a flash video (Dash=no in "stats for nerds")
* https://www.youtube.com/watch?v=42piJ1ZXUVo - I am still getting a flash video (Dash=no)

If I browse to this without the proxy (coming from the USA) I get MSE/HTML5 video.

This looks more to me like Youtube.com is putting in a region filter rather than a protocol filter. Verified that we were still sending the Firefox UA string, so I don't believe the proxy was messing with us, but Alexander, if you're willing to double check my findings from where you are in the world, I would really appreciate it.  Thank you.

Comment 13

[Boris Zbarsky [:bzbarsky]]

Jet, are we confident enough in the security aspects of our MSE impl to expose it to attackers?  That was the part that was unclear to me in bug 1112761.  Any coffeeshop wireless can pretend to be http://youtube.com.

Also, note the discussion above about non-Windows platforms...

Comment 14

[Jet Villegas (inactive)]

(In reply to Boris Zbarsky [:bz] from comment #13)
> Jet, are we confident enough in the security aspects of our MSE impl to
> expose it to attackers?  That was the part that was unclear to me in bug
> 1112761.  Any coffeeshop wireless can pretend to be http://youtube.com.

This is a valid concern. We need to understand exactly when youtube falls back to http and why. The answer to that should guide the path forward for my patch.

> Also, note the discussion above about non-Windows platforms...

Yes, the request for YouTube is to re-enable Flash fallback if MSE is not available, and Flash is, in Firefox 36.

Comment 15

[Alexander L. Slovesnik]

(In reply to Clint Talbert ( :ctalbert ) from comment #12)
> Alexander, please see if I am confirming this bug properly, as I'm using a
> Russian proxy who's site is mostly in Russian (which I am only reading via
> google translate):
> Visiting these sites through the Russian Proxy (I used:
> http://anonymizer.ru/ until it asked me to pay for it and then
> http://ipv4server.com/)
> * http://www.youtube.com/html5 - I see MSE being "not supported"
> * https://www.youtube.com/html5 - I see MSE being "not supported"
> * http://www.youtube.com/watch?v=42piJ1ZXUVo - I can verify that I'm getting
> served a flash video (Dash=no in "stats for nerds")
> * https://www.youtube.com/watch?v=42piJ1ZXUVo - I am still getting a flash
> video (Dash=no)
> 
> If I browse to this without the proxy (coming from the USA) I get MSE/HTML5
> video.
> 
> This looks more to me like Youtube.com is putting in a region filter rather
> than a protocol filter. Verified that we were still sending the Firefox UA
> string, so I don't believe the proxy was messing with us, but Alexander, if
> you're willing to double check my findings from where you are in the world,
> I would really appreciate it.  Thank you.

I see MSE being "not supported" on http://www.youtube.com/html5 and MSE being "supported" on https://www.youtube.com/html5. I'm going to attach 2 screenshots of Firefox 36.0b5 (en-US locale) on Windows 8.1. My internet provider is based in Moscow, Russia.

Comment 16

[Alexander L. Slovesnik]

Attachment: http://www.youtube.com/html5 (MSE is not supported)

http://www.youtube.com/html5 (MSE is not supported)

Comment 17

[Alexander L. Slovesnik]

Attachment: https://www.youtube.com/html5 (MSE is supported)

https://www.youtube.com/html5 (MSE is supported)

Comment 18

[[:Aleksej]]

(In reply to Boris Zbarsky [:bz] from comment #5)
> For me that sends an HTTP 301 to <https://www.youtube.com/html5>; does it
> not do that for you?

http://www.youtube.com/html5 does NOT redirect to https://www.youtube.com/html5 here
- Beta firefox-36.0b5.en-US.linux64
- Nightly 2015-01-27-03-02-30-mozilla-central-firefox-38.0a1.ru.linux-x86_64
unless I use HTTPS Everywhere

Comment 19

[Chris Peterson [:cpeterson]]

(In reply to Jet Villegas (:jet) from comment #14)
> (In reply to Boris Zbarsky [:bz] from comment #13)
> > Jet, are we confident enough in the security aspects of our MSE impl to
> > expose it to attackers?  That was the part that was unclear to me in bug
> > 1112761.  Any coffeeshop wireless can pretend to be http://youtube.com.
> 
> This is a valid concern. We need to understand exactly when youtube falls
> back to http and why. The answer to that should guide the path forward for
> my patch.

Jet's patch was r+'d but he is now on PTO. It doesn't look like we have an answer to the 

> 
> > Also, note the discussion above about non-Windows platforms...
> 
> Yes, the request for YouTube is to re-enable Flash fallback if MSE is not
> available, and Flash is, in Firefox 36.

Comment 20

[Chris Peterson [:cpeterson]]

Jet is on PTO so I landed his HTTP patch on mozilla-inbound:

https://hg.mozilla.org/integration/mozilla-inbound/rev/e93e124f3e91

Comment 21

[Chris Peterson [:cpeterson]]

Comment on attachment 8557172 [details] [diff] [review]
http.patch

Approval Request Comment
[Feature/regressing bug #]: bug 1112761
[User impact if declined]: Pre-release channel users in some parts of the world using non-HTTPS YouTube will have a bad YouTube experience because they can't use MSE or Flash video.
[Describe test coverage new/current, TreeHerder]:
[Risks and why]: YouTube disabled Flash video for Beta 36+ but bug 1112761 restricted MSE video to HTTPS. When YouTube reenables their Flash fallback for non-MSE browsers, we can revisit whether MSE should be HTTPS only.
[String/UUID change made/needed]: None

Comment 22

[Phil Ringnalda (:philor)]

https://hg.mozilla.org/mozilla-central/rev/e93e124f3e91

Comment 23

[Ralph Giles (:rillian)]

https://hg.mozilla.org/releases/mozilla-aurora/rev/5a89d54ef5e9
https://hg.mozilla.org/releases/mozilla-beta/rev/db97d9b88b1a