Closed Bug 1335083 Opened 3 years ago Closed 3 years ago

HSTS Priming can cause content load failures (endless loop) due to mixed content blocked

Categories

(Core :: DOM: Security, defect, P1, major)

51 Branch
defect

Tracking

()

RESOLVED WORKSFORME
Tracking Status
firefox-esr45 --- unaffected
firefox51 --- disabled
firefox52 --- disabled
firefox-esr52 --- disabled
firefox53 + disabled
firefox54 + wontfix
firefox55 + wontfix

People

(Reporter: nic3-art, Assigned: kmckinley)

References

Details

(Keywords: regression, Whiteboard: [domsecurity-active])

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0
Build ID: 20170125094131

Steps to reproduce:

-after update to version 51.0.1 Firefox is in a loading-loop and content will not be loaded


Actual results:

Some users pointed out to me that my website was not available. Test with all other browsers and older versions of the Firefox ran however positive, so the error occurs only with Firefox version 51.0.1 (32 bit). After server side problems could be excluded, the website was liberated bit by bit from HTML code. The call worked when removing the following line of code. In the code is a link which returns a 404.

<script src="http://ajax.googleapis.com/ajax/libs/jGquery/1.8.3/jquery.min.js"></script>

The false script link to jquery at googleapis.com (404) was the reason.

If the page was accessed via a subpage by Google and then entered the damaged homepage, everything went perfectly and the site could be called directly without modification by domain. However, if the loop was cleared again, the endless loop was there again.
If it's specific to a unique website, could you provide the URL, please.

In addition, does it work with a fresh profile?
https://support.mozilla.org/en-US/kb/profile-manager-create-and-remove-firefox-profiles
Flags: needinfo?(nic3-art)
I reproduce the problem in this URL:

https://pswgmbh-lsa.de/index.php?article_id=36

The sourcecode is the same like the sourcecode at the startpage on https://pswgmbh-lsa.de - only the named line of code (there is a false link in this line - look at JGquery) and the firefox goes to endless loop.

Also to reproduce the loop, you need an empty cache. 


On https://webkartell.de/test.html i put an empty html-site only with the false line of code, the problem is the same...
With https://pswgmbh-lsa.de/index.php?article_id=36 I see 2 errors about mixed content blocked because font and jquery are served from CDN googleapis.com without HTTPS.

Same observation with https://webkartell.de/test.html
Component: Untriaged → DOM: Security
Product: Firefox → Core
Summary: Firefox 51.0.1 does not load content → Firefox 51.0.1 does not load content (endless loop) due to mixed content blocked
Regression:
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=8387a4ada9a5c4cab059d8fafe0f8c933e83c149&tochange=15b774db7eab7fc4c9489db9c9f77a2e73536e22

It's due to bug 1313595 but it should be fixed by bug 1335224 which has disabled HSTS priming in FF51.
Flags: needinfo?(nic3-art)
Keywords: regression
This is weird, on my current profile with FF51, the website doesn't load with security.mixed_content.send_hsts_priming=false, I need to set it to true.

On another profile, it works normally, with security.mixed_content.send_hsts_priming=false.
Blocks: 1313595
Flags: needinfo?(kmckinley)
Yes it's weird, cause the website runs all time without problems, after the update there is the bug/loop.

But it is nice you found the problem. I publishes the same code of the test.html with an https: link which is false, after your comment and firefox  doesn't have the problem.

Look at https://webkartell.de/test_ssl.html
[Tracking Requested - why for this release]:
Assignee: nobody → kmckinley
Priority: -- → P1
Whiteboard: [domsecurity-active]
I am unable to reproduce this with security.mixed_content.send_hsts_priming set to false, with a new/clean profile or an existing profile.
Flags: needinfo?(kmckinley)
Yes, it's because my current profile has the option "Check for updates, but let me choose whether to install them" enabled instead of "Automatically install updates" which blocks the update of bugfixes by addon system. Which is a real bad design IMHO.
This is fixed on Beta/Release by the changing of the pref, but we should probably leave this bug open for tracking before HSTS priming tries to ride the trains.
[Tracking Requested - why for this release]: Regression

+ fixing statuses (Fx 53 is affected - bug #1335224 and bug #1335134)
Blocks: 1246540
Severity: normal → major
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
See Also: → 1311807
Tracking 53/54+ for this regression.
(In reply to Ryan VanderMeulen [:RyanVM] from comment #10)
> This is fixed on Beta/Release by the changing of the pref, but we should
> probably leave this bug open for tracking before HSTS priming tries to ride
> the trains.

Is HSTS priming riding the train for 54, then, Christoph?  Can we make this bug block/depend on whatever bug is turning on HSTS priming?
Flags: needinfo?(ckerschb)
(In reply to Nathan Froyd [:froydnj] from comment #13)
> (In reply to Ryan VanderMeulen [:RyanVM] from comment #10)
> > This is fixed on Beta/Release by the changing of the pref, but we should
> > probably leave this bug open for tracking before HSTS priming tries to ride
> > the trains.
> 
> Is HSTS priming riding the train for 54, then, Christoph?  Can we make this
> bug block/depend on whatever bug is turning on HSTS priming?

Redirecting this one to Kate.
Flags: needinfo?(ckerschb) → needinfo?(kmckinley)
I'm unable to reproduce this issue. I left it open in case someone could reproduce it.

Matthias, are you able to reproduce this issue currently with Release, or any other current version of Firefox?
Flags: needinfo?(kmckinley) → needinfo?(nic3-art)
As we're not hearing back from the reporter, I'm clearing the needinfo. Kate, let's meet with QA and see what we can come up with to try other ways to reproduce.
Flags: needinfo?(nic3-art)
Summary: Firefox 51.0.1 does not load content (endless loop) due to mixed content blocked → HSTS Priming can cause content load failures (endless loop) due to mixed content blocked
Sounds reasonable to resolved this as WORKSFOR ME since we haven't been able to reproduce the issue in 52 or higher. 

If anyone does manage to reproduce it, please n-i to jcj or kate and reopen the bug with all the details.
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → WORKSFORME
Restrict Comments: true
You need to log in before you can comment on or make changes to this bug.