Unable to load images from other NTLM authenticated servers

RESOLVED WORKSFORME

Status

()

Core
Networking
RESOLVED WORKSFORME
3 years ago
2 years ago

People

(Reporter: Andrew Bartlett, Unassigned)

Tracking

(Blocks: 1 bug)

Trunk
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments)

(Reporter)

Description

3 years ago
Created attachment 8599110 [details]
index.html

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0 Iceweasel/37.0.2
Build ID: 20150420231403

Steps to reproduce:

With apache config:
<Directory "/var/www/html/auth">
  AuthName "NTLM Authentication thingy"
  NTLMAuth on
  NTLMAuthHelper "/data/samba/samba4/prefix/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --password=password -d100"
  NTLMBasicAuthoritative on
  AuthType NTLM
  require valid-user
</Directory>

Hosts:
127.0.1.1	ruth ntlm1 ntlm2 ntlm3 ntlm4

And the attached file (supply own logo to use as test image)

Access http://localhost/auth

Enter username (any), password (password)


Actual results:

The images on hosts ntlm{1,2,3,4} do not load.

The network trace (also attached) shows no attempt at NTLM authentication, after the web server prompts for it with a 401.


Expected results:

As per Iceweasel 37.0.2, load all the images after prompting for credentials.
(Reporter)

Comment 1

3 years ago
Created attachment 8599111 [details]
ntlm-no-image-load.pcapng
(Reporter)

Updated

3 years ago
Blocks: 734229

Updated

3 years ago
Component: Untriaged → Networking
Product: Firefox → Core
(Reporter)

Comment 2

3 years ago
Bisection with mozregression shows
13:55.39 LOG: MainThread Bisector INFO Last good revision: 98ea146e6f51
13:55.39 LOG: MainThread Bisector INFO First bad revision: e7c656feac7f
13:55.39 LOG: MainThread Bisector INFO Pushlog:
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=98ea146e6f51&tochange=e7c656feac7f

This appears to be a deliberate change in bug 647010.  

https://hg.mozilla.org/integration/mozilla-inbound/rev/2e642b4f35c4
(Reporter)

Updated

3 years ago
Depends on: 647010
(Reporter)

Updated

3 years ago
Blocks: 647010
No longer depends on: 647010
(Reporter)

Updated

3 years ago
No longer blocks: 734229

Comment 3

3 years ago
CC'ing dd.mozilla for more info.
Flags: needinfo?(dd.mozilla)
Bug 647010 disabled the prompt for the authentication for the cross-origin subresources. Actually there is a pref for this so it can be allowed.

Here subresources is cross-origin because first request is to localhost and the sub-requests are to ntlm (1,2,3) so they are not the same but they are actually the same host the same ip address. it could be possible to take ip address into account but i am not sure how common is such a case in the internet.
I think it is fine to leave it like this.
Flags: needinfo?(dd.mozilla)
(Reporter)

Comment 5

3 years ago
Thanks, I do agree with this analysis.  I suspect that this will hit intranet use - because in the IE and NTLM-authentication dominated intranet, application developers and their target IE on Windows users do not notice that their resources are being served from more than one server or name. 

I wasn't hoping for the IP address to count, that was just how I was trying to confirm that multiple concurrent NTLM authentication requests were not broken.  I set that preference (network.auth.allow-subresource-auth = 2) to permit that testing.
I will close this bug. Maybe we will have a problem when this feature reaches release, but then changing pref will fix it.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → WORKSFORME

Comment 7

2 years ago
Terrible fix....lazy fix....  a "we don't give a F" fix.  Just shut the whole thing down instead of implementing a smart embedded warning/exception storing fix.  Another blow to the usability and utility of Firefox.
You need to log in before you can comment on or make changes to this bug.