Closed
Bug 1293628
Opened 8 years ago
Closed 8 years ago
Lost request body after negotiate authentication
Categories
(Core :: Networking, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1293765
People
(Reporter: kong.shijun, Assigned: mayhemer)
References
Details
(Whiteboard: [necko-active])
Attachments
(1 file)
282.32 KB,
text/plain
|
Details |
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0 Build ID: 20160805004022 Steps to reproduce: developer edition, 50.0a send a POST request to protected internal website Actual results: the site first sends back a 401 with authenticate negotiate basic header firefox send back authentication header with an empty request body Expected results: firefox should send back authentication header with original request body
Reporter | ||
Updated•8 years ago
|
OS: Unspecified → Windows 7
Hardware: Unspecified → x86_64
Comment 1•8 years ago
|
||
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:51.0) Gecko/20100101 Firefox/51.0 I tried to tested this issue on Windows 7 x64 with the latest Firefox release (48.0) and the latest Nightly (51.0a1-20160812030200) and could not reproduce it. When sending a Post request to a protected internal website, I haven't encountered any issues. Can you please provide us with simplified testcase and attached it to this issue? Feel free to use https://jsfiddle.net/ if you like.
Flags: needinfo?(kong.shijun)
Reporter | ||
Comment 2•8 years ago
|
||
Sorry, I can't give special. On the other hand, I mentioned in the ticket, it only happens with developer edition 50.0a. Not non developer edision 48.0. I haven't tested nightly version 51.0xxx. Where could I download nightly build? If it is fixed in 51.0, I could switch to it.
Comment 3•8 years ago
|
||
Mozilla/5.0 (Windows NT 6.3; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0 (20160825004011) The attached .HAR file demonstrates this bug in action. Note two things -- one, that Firefox is dropping the "Authorization" header on every request, forcing a re-negotiation, which is then when it loses the form POST data. Also note that this .HAR file has been anonymized after the fact to hide identifiable information, so the various size and content-length parameters are likely incorrect. HAR file can be viewed using any decent HAR viewer, I prefer https://toolbox.googleapps.com/apps/har_analyzer/.
Comment 4•8 years ago
|
||
I've prepared the following test procedure which can be used to recreate the bug on Mozilla/5.0 (Windows NT 6.3; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0 (20160825004011). 0. Locate (or prepare) a website protected by Integrated Windows Authentication and a computer joined to the same domain 1. Create a new Firefox profile 2. about:config -> network.automatic-ntlm-auth.trusted-uris: (example.org) 3. about:config -> network.negotiate-auth.trusted-uris: (example.org) 4. Request a page which is secured by NTLM authentication. 5. Note that on subsequent requests, the "Authorization" header is lost, so Firefox has to renegotiate. 6. Attempt to post a form on this page. Note that in the renegotiation process, the post body is lost.
Comment 5•8 years ago
|
||
I am assigning a component to this issue in order to involve the development team and get an opinion on this.
Component: Untriaged → Networking
Product: Firefox → Core
Assignee | ||
Comment 6•8 years ago
|
||
Valentin, another instance of releasing the body stream to early? (I don't recall the bug #)
Flags: needinfo?(valentin.gosu)
Comment 7•8 years ago
|
||
This was backed out in bug 1297663. Marking as duplicate and proceeding to nominate the patch for aurora.
Blocks: 1264566
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Flags: needinfo?(valentin.gosu)
Resolution: --- → DUPLICATE
Comment 8•8 years ago
|
||
It seems bug 1297663 didn't actually reach aurora, so there is a different cause for this bug.
Status: RESOLVED → REOPENED
Ever confirmed: true
Resolution: DUPLICATE → ---
Assignee | ||
Comment 10•8 years ago
|
||
(In reply to Valentin Gosu [:valentin] from comment #9) > Honza, did you have a setup to test NTLM? I do have a server that you can auth to with NTLM. It's a standard Win10Pro IIS. I have a Windows Integrated Auth only enabled folder, you add any user on the system creds. There is also no need to add the machine to a domain.
Flags: needinfo?(honzab.moz)
Comment 11•8 years ago
|
||
(In reply to Honza Bambas (:mayhemer) from comment #10) > (In reply to Valentin Gosu [:valentin] from comment #9) > > Honza, did you have a setup to test NTLM? > > I do have a server that you can auth to with NTLM. It's a standard Win10Pro > IIS. I have a Windows Integrated Auth only enabled folder, you add any user > on the system creds. There is also no need to add the machine to a domain. Do you have the cycles to take this? If not, please assign the bug to me and PM the credentials so I can take a look. Thanks!
Assignee: nobody → honzab.moz
Whiteboard: [necko-active]
Assignee | ||
Comment 12•8 years ago
|
||
Bug 1293765 needs an uplift to 50 (m-b).
Status: REOPENED → RESOLVED
Closed: 8 years ago → 8 years ago
Resolution: --- → DUPLICATE
Assignee | ||
Updated•8 years ago
|
Flags: needinfo?(kong.shijun)
You need to log in
before you can comment on or make changes to this bug.
Description
•