1234066 - blank page when loading http://ibmrewards.co.uk/ , due to it trying to frame a page that doesn't allow it to do so

Status: RESOLVED WORKSFORME

(Web Compatibility :: Site Reports, defect, P5)

Description

[Steve Ellis]

Attachment: Screen Shot 2015-12-20 at 19.55.28.png

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:43.0) Gecko/20100101 Firefox/43.0
Build ID: 20151216175450

Steps to reproduce:

I have 2 x MBP's and when the first one upgraded to 43.0.1 I could not get to ibmrewards.co.uk which links to https://ibm.rewardgateway.co.uk/MyRewards normally and did so before upgrading. I thought this might have been a faulty upgrade so tried it on my 2nd MBP.    I checked first that it was working before upgrade and it was.  I then upgraded to 43.0.1 and that machine also failed. I have not seen it on any other sites yet but believe the upgrade to be the cause of the problem.  I have also tested using Safari on both machines and it works fine. I have also tried Firefox safe mode and no difference. I have also tried it on my iPhone version of Firefox and it works fine.


Actual results:

Blank screen when trying to open ibmrewards.co.uk


Expected results:

Link to https://ibm.rewardgateway.co.uk/MyRewards

Comment 1

[Simona Badau, Desktop QA]

I can confirm this is reproducible also on the latest Nightly on Windows.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:46.0) Gecko/20100101 Firefox/46.0
Build ID: 20151222030207

This is not a recent regression, reproducible also on older versions (Firefox 42, Firefox 35, Firefox 30).
The following JS warning is received in the Web Console:
Load denied by X-Frame-Options: http://www.ibmrewards.co.uk/ does not permit framing by http://ibmrewards.co.uk/. 

Dupe of Bug 1070425?

Comment 2

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

(In reply to Simona B from comment #1)
> Dupe of Bug 1070425?

No, that bug doesn't have any useful diagnosis, whereas it sounds like this one probably does.  Without knowing what the problem in the other bug is, it's not possible to say what is or isn't the same issue.

I'm not sure if there's a easy way to tell whether the X-Frame-Options header is what's producing the problem (i.e., to skip the check).

Comment 3

[Boris Zbarsky [:bzbarsky]]

Well, if I disable the X-Frame-Options support (by just returning early from nsDSURIContentListener::CheckFrameOptions), the site loads fine.

That url loaded in the subframe is sending:

  X-Frame-Options: ALLOW-FROM http://www.ibmrewards.co.uk/

so it in fact disallows framing from http://ibmrewards.co.uk

As far as I can tell, this is just a bug in the site.

Safari doesn't support ALLOW-FROM in X-Frame-Options; see <https://bugs.webkit.org/show_bug.cgi?id=94836>.  That's why things "work" in Safari, and in the iPhone version of Firefox, which is forced to use Safari's engine.

Loading http://www.ibmrewards.co.uk/ works fine, of course.

Comment 4

[Karl Dubost💡 :karlcow]

Let's see when I go a GET on 

→ http  GET  http://ibmrewards.co.uk/ 

HTTP/1.1 200 OK
Connection: close
Content-Length: 745
Content-Type: text/html;charset=ISO-8859-1
Date: Mon, 25 Jan 2016 05:47:50 GMT
Server: DNSME HTTP Redirection

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<head>
<title></title>
<meta  name="description" content="" />
<meta  name="keywords" content="" />
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<frameset rows="*,0" frameborder="NO" border="0" framespacing="0">
  <frame name="mainFrame" src="https://ibm.rewardgateway.co.uk">
</frameset>
<noframes>
<body bgcolor="#FFFFFF">
Please visit <a href="https://ibm.rewardgateway.co.uk">this link</a> since your browser does not support frames.
</body>
</noframes>
</html>

In Chrome it does a redirection, in Firefox it does a blank page.


→ http GET https://ibm.rewardgateway.co.uk
HTTP/1.1 307 Temporary Redirect
Content-Type: text/html; charset=UTF-8
Date: Mon, 25 Jan 2016 05:50:21 GMT
Location: /Authentication/Login
Server: nginx
Set-Cookie: SessionID=c2vho2fcbmk5eo3bcv4kht1fe3; path=/; secure; HttpOnly
Transfer-Encoding: chunked


→ http HEAD https://ibm.rewardgateway.co.uk/Authentication/Login


HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, max-age=0, no-transform
Content-Type: text/html; charset=utf-8
Date: Mon, 25 Jan 2016 05:51:07 GMT
Expires: 0
P3P: CP="NOI DSP COR NID DEVa TAIa OUR BUS UNI"
Pragma: no-cache
Server: nginx
Set-Cookie: SessionID=02t0q4bjnncqato1slojp90kq2; path=/; secure; HttpOnly
Strict-Transport-Security: max-age=31536000; includeSubDomains
Transfer-Encoding: chunked
X-Content-Type-Options: nosniff
X-Frame-Options: ALLOW-FROM http://www.ibmrewards.co.uk/
X-UA-Compatible: IE=Edge
X-XSS-Protection: 1; mode=block


The top address bad stays on the same domain though there was a redirection to the final target even if it failed. It's confusing.

Comment 5

[Karl Dubost💡 :karlcow]

Attachment: Network-traffic.png

We can see that we reach the Login page with a 200, but the browsing context showed in Firefox UI is not the right one. 

There is something else going on. When I checked the response in the network inspector I have a partial body stopping at:
(f.attachEvent("onreadystatechange",r),c.attachEvent("onload",n)),a(

Ah maybe because of the X-Frame-Options it bails out.

Chrome/Blink loads the resources and shows in the console:

  Navigated to http://ibmrewards.co.uk/

  Invalid 'X-Frame-Options' header encountered when loading 
    'https://ibm.rewardgateway.co.uk/Authentication/Login': 
    'ALLOW-FROM http://www.ibmrewards.co.uk/' is not a 
    recognized directive. The header will be ignored.

  Navigated to https://ibm.rewardgateway.co.uk/Authentication/Login

Hmmm weird, checking Chromium bug tracking system.
* Issue 41251: 	content blocked by X-Frame-Options should show an error page
  https://code.google.com/p/chromium/issues/detail?id=41251

nope. Ah maybe this:

* Issue 555418: 	Move `X-Frame-Options` and CSP's `frame-ancestor` checks up out of the renderer.
  https://code.google.com/p/chromium/issues/detail?id=555418

where someone says on November 2015:

> Yes, we're definitely planning on enforcing X-Frame-Options 
> in the browser process as part of Site Isolation.  (It's mentioned 
> in the threat model on http://www.chromium.org/developers/design-documents/site-isolation.)

so it's not yet deployed for Chrome and this is part of this meta-bug about site isolation.
https://code.google.com/p/chromium/issues/detail?id=467770

Comment 6

[Karl Dubost💡 :karlcow]

ok switching to needscontact.
I think we need a better error message here, which I guess is Bug 631853

Comment 7

[Karl Dubost💡 :karlcow]

Contacted with the form at https://ibm.rewardgateway.co.uk/ExternalEnquiry?e=11

Comment 8

[Mike Taylor [:miketaylr]]

Still an issue, but in Chrome they display the following message: "The webpage at https://ibm.rewardgateway.co.uk/ might be temporarily down or it may have moved permanently to a new web address."

But it does still work in Safari.

Comment 9

[Sergiu Logigan [:sergiu]]

The issue is reproducible on Canary 69

Comment 10

[Sergiu Logigan [:sergiu]]

The issue is reproducible on Canary 69.

Comment 11

[Firefox Bug Husbandry Bot]

See bug 1547409. Moving webcompat whiteboard tags to keywords.

Comment 12

[Jeroen Kruis]

The website has changed to doing a 301 redirect.