Missing video controls of embedded HTML5 youtube video due to some HSTS

RESOLVED DUPLICATE of bug 1247733

Status

()

Core
Security: PSM
RESOLVED DUPLICATE of bug 1247733
2 years ago
2 years ago

People

(Reporter: Alice0775 White, Assigned: qdot)

Tracking

({reproducible})

Trunk
reproducible
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(URL)

Attachments

(2 attachments)

(Reporter)

Description

2 years ago
When I test Bug 1240471, I found a problem.

video controls(play/pause, Gear, Fullscreen buttons) of embedded youtube video are missing.

Steps to reproduce:
1. Open http://www.ghacks.net/2007/03/02/one-of-the-greatest-line-rider-movies-ever/
2. Scroll page
3. Play video

Actual Resulst:
video controls(play/pause, Gear, Fullscreen buttons)  are missing.

Expected Results:
not so,


The problem is caused if entry of www.youtube.com:HSTS was existing in SiteSecurityServiceState.txt file.
I do not know when the entry was created. 
This problem might be happens on the profiles that have been used over a long period.
(Reporter)

Comment 1

2 years ago
Created attachment 8709123 [details]
screenshot
(Reporter)

Updated

2 years ago
Summary: Missing video controls of embedded youtube video due to some HSTS → Missing video controls of embedded HTML5 youtube video due to some HSTS
(Reporter)

Updated

2 years ago
Blocks: 775370
(Reporter)

Updated

2 years ago
Blocks: 769117
(Reporter)

Comment 2

2 years ago
Especially, Bug 769117 was landed in Nightly, the problem will be widely affected.
(Reporter)

Comment 3

2 years ago
Created attachment 8709124 [details]
SiteSecurityServiceState.txt, the problematic entry
It looks like that entry will expire on 2016-01-25T16:38:18.209Z. Can you try again after then?
Flags: needinfo?(alice0775)
Kyle, how critical is this problem? FF 44 is about to be released next week. Should we try to disable the rewriter for 44 or 45?

(In reply to Alice0775 White from comment #0)
> The problem is caused if entry of www.youtube.com:HSTS was existing in
> SiteSecurityServiceState.txt file.

Kyle's embed rewriter preserves the original Flash embed URL's scheme (HTTP or HTTPS) and domain, so I'm not sure why we have an HSTS conflict.
status-firefox43: --- → unaffected
Flags: needinfo?(kyle)
(In reply to Chris Peterson [:cpeterson] from comment #5)
> Kyle, how critical is this problem? FF 44 is about to be released next week.
> Should we try to disable the rewriter for 44 or 45?

The rewriter (bug 769117) never got uplifted to aurora or beta, so I think we're ok?
Flags: needinfo?(kyle)
Alice, this bug's Tracking Flags say status-firefox44 and status-firefox45 = affected. Is that true? If so, then this problem is not related to Kyle's Flash embed rewriter.
(Reporter)

Comment 8

2 years ago
(In reply to David Keeler [:keeler] (use needinfo?) from comment #4)
> It looks like that entry will expire on 2016-01-25T16:38:18.209Z. Can you
> try again after then?

Today 2016-01-26 16:00UTC, I tried to reproduce the problem, And I confirmed that the promlem was gone. The offending entry seems to expire as your described.
Flags: needinfo?(alice0775)
(Reporter)

Comment 9

2 years ago
(In reply to Chris Peterson [:cpeterson] from comment #7)
> Alice, this bug's Tracking Flags say status-firefox44 and status-firefox45 =
> affected. Is that true? If so, then this problem is not related to Kyle's
> Flash embed rewriter.

The Flash embed rewriter seems risky unless this root problem fixed. So I made block bug 769117.
I think the root problem is www.youtube.com briefly tried out sending a Strict-Transport-Security header. Presumably they found breakage (such as this), and it looks like they've since backed off (and are only sending the header with a max-age of 0, which essentially turns it off). Depending on what the original max-age value was and when they stopped sending the header, this problem will essentially go away on its own.
(Reporter)

Comment 11

2 years ago
(In reply to David Keeler [:keeler] (use needinfo?) from comment #10)
> I think the root problem is www.youtube.com briefly tried out sending a
> Strict-Transport-Security header. Presumably they found breakage (such as
> this), and it looks like they've since backed off (and are only sending the
> header with a max-age of 0, which essentially turns it off). Depending on
> what the original max-age value was and when they stopped sending the
> header, this problem will essentially go away on its own.

OK, I will change the status to "works for me".
No longer blocks: 769117, 775370
Status: NEW → RESOLVED
Last Resolved: 2 years ago
status-firefox43: unaffected → ---
status-firefox44: affected → ---
status-firefox45: affected → ---
status-firefox46: affected → ---
Resolution: --- → WORKSFORME
(Reporter)

Updated

2 years ago
status-firefox-esr45: ? → ---
(Reporter)

Comment 12

2 years ago
The problem comes back w/ clean profile.

SiteSecurityServiceState.txt includes the following entry.
www.youtube.com:HSTS	1	16830	1454802579390,1,0
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---
(Reporter)

Updated

2 years ago
Blocks: 769117
Keywords: reproducible
(Reporter)

Updated

2 years ago
(Reporter)

Comment 13

2 years ago
Steps to reproduce:
1. Open http://www.youtube.com/embed/XGSy3_Czz8k
2. Play video

Actual Resulst:
video controls(play/pause, Gear, Fullscreen buttons)  are missing.

Expected Results:
not so,
(Reporter)

Updated

2 years ago
Status: REOPENED → RESOLVED
Last Resolved: 2 years ago2 years ago
Resolution: --- → INCOMPLETE
Alice, in comment 12, you said you could still reproduce this problem with a clean profile, but then you closed this bug as RESOLVED INCOMPLETE. Is this still a bug? Thanks.
Flags: needinfo?(alice0775)
(Reporter)

Comment 15

2 years ago
The problem is still reproduced.
So I filed a new bug 1244495.
Flags: needinfo?(alice0775)
(Reporter)

Updated

2 years ago
See Also: → bug 1244495

Comment 16

2 years ago
(In reply to Alice0775 White from comment #15)
> The problem is still reproduced.
> So I filed a new bug 1244495.

Problem is on all Firefox browsers. Also with scripts "converts" flash youtube embed to html5.

Updated

2 years ago
Resolution: INCOMPLETE → DUPLICATE
Duplicate of bug: 1247733

Updated

2 years ago
See Also: bug 1244495
You need to log in before you can comment on or make changes to this bug.