Closed Bug 1414676 Opened 7 years ago Closed 7 years ago

Firefox 57 regression: HTTP redirect automatically rewritten to HTTPS

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Version:
57 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1417901

People

(Reporter: steffen.weber, Unassigned)

Details

(Keywords: regression)

Attachments

(1 file)

firefox-bug-1414676.php
715 bytes, application/x-php
Details
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 Build ID: 20171102181127 Steps to reproduce: 1. Open https://www.computerbase.de/downloads/systemtools/core-temp/ 2. Click the orange button "Download (1 MB)" in the upper right corner 3. On the next page, click the big orange button "Download starten (1 MB)" Actual results: The website https://www.computerbase.de/ sends a 303 redirect to http://www.alcpu.com/CoreTemp/Core-Temp-setup.exe but for some reason Firefox rewrites this to https://www.alcpu.com/CoreTemp/Core-Temp-setup.exe (i.e. it turns the HTTP URL into an HTTPS URL). You can check this using the "Network" tab of the Firefox Developer Tools. The user-visible result is that Firefox shows an HTTPS error page but the actual bug is that Firefox has (for no reason) turned the HTTP URL into an HTTPS URL. ComputerBase is HSTS-preloaded and its Content-Security-Policy contains the "upgrade-insecure-requests" directive. But neither should affect third-party URLs. Expected results: Firefox should not silently rewrite the redirect URL. Only Firefox 57 has this issue. Everything is working fine in Firefox 56 and in other browsers.
The problem seems to be caused by the "upgrade-insecure-requests" CSP directive. This issue disappears when I remove this directive from our CSP. (This is strange because the 303 redirect response does not have a CSP at all. Only the previous responses that delivered HTML actually use a CSP. Removing the "upgrade-insecure-requests" directive from those HTML responses has an effect later on for the 303 redirect response.)
Component: Untriaged → DOM: Security
Keywords: regression
Product: Firefox → Core
It looks like Firefox 57 will ship with this regression unfixed. I'll therefore apply a workaround to our website (we'll no longer send the "upgrade-insecure-requests" directive to Firefox users on certain pages). This means that the "Steps to reproduce" mentioned above won't work anymore. I've therefore created a reduced test-case: https://www.computerbase.de/firefox-bug-1414676.php
I'm duping this as the other bug has more information. Thanks!
No longer blocks: 1391011
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: