1418815 - Https to Http redirect does not work on sandbox level 3 (default)

Status: NEW

(Core :: Security: Process Sandboxing, defect, P3)

Description

[Barb Stewart]

Attachment: FF bug empty page.jpg

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Build ID: 20171112125346

Steps to reproduce:

I am on Pinterest, I left click on a link, it opens up a new tab and connects me to the link I clicked on.  I am unaware of other sites it happens on.


Actual results:

When the new tab opens, Firefox acts like it opened the page, the link address does appear in the web address, however the page is blank.  
I read through some bugs, I did try the R click and tell it to open in a new tab and that does seem to work, however, that is not how it used to work.


Expected results:

The page should have fully opened in a new tab when I L click on the link.

FYI, this issue is on all 3 of my laptops with the new FF 57.0 update.  I am running Windows 7 on 2 laptops and Windows 10 on 1 laptop.

Comment 1

[Deac Alin]

Tested on Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0 Build ID:20171112125346 and it seems there is a sandbox issue here. It was observed that when redirecting from a "https://" page to a "http" url page (with security.sandbox.content.level = 3 as default in FF) the browser returns a Content Security Policy - "Coudn't parse invalid host" and ignoring the specified page link.

By changing the value of the security.sandbox.content.level to 2, the redirect is done successfully.

Barb Stewart - Thank you for reporting it.

Comment 2

[Deac Alin]

Additional STR:
1. Go to https://ro.pinterest.com/pin/647251777668683572/
2. Click on the image

Actual:
As the reporter mentioned - the redirect page is not loaded (blank)
Error in Console:
Content Security Policy: Couldn’t parse invalid host 'report-sample'  (unknown)
Content Security Policy: Ignoring “https://ro.pinterest.com” within script-src: ‘strict-dynamic’ specified

Comment 3

[Alex Gaynor [:Alex_Gaynor]]

Which image needs to be clicked on that page? There are several images.

Comment 4

[Deac Alin]

(In reply to Alex Gaynor [:Alex_Gaynor] from comment #3)
> Which image needs to be clicked on that page? There are several images.

The link from Step 1 will redirect you to a single image, once you are logged in.

Comment 5

[Jim Mathies [:jimm]]

Tracy, can you please try to reproduce.

Comment 6

[Jim Mathies [:jimm]]

(In reply to Jim Mathies [:jimm] from comment #5)
> Tracy, can you please try to reproduce.

regression range too if possible!

Comment 7

[Tracy Walker [:tracy]]

I am unable to reproduce this on 57 nor only 59 Nightly on Windows 10 (both 64 bit builds)

Alin,  are you reproducing in a clean profile?  If so, can you find the regression range?

Comment 8

[Deac Alin]

Attachment: pinterest loading image issue.webm

Managed to reproduce the issue on Windows 7 & 10 on 57 Release, on clean profiles (even without logging in, as i mentioned above, in comment 4) by clicking on any images (used the first 3 images after accessing https://ro.pinterest.com/pin/647251777668683572/). Attached screen-record. Hope this helps. Thank you.

Comment 9

[Jim Mathies [:jimm]]

Hey Dean, would you please try to generate some http logging for this?

https://developer.mozilla.org/en-US/docs/Mozilla/Debugging/HTTP_logging?redirectlocale=en-US&redirectslug=HTTP_Logging

Also, about:support text please.

Comment 10

[Deac Alin]

Hi Jim, here is the link with the information you requested (About:support text and Http activity log)
https://drive.google.com/drive/folders/1KVsuiSvw7qSum0zyKMGKTcl1ZGZQ9GLa?usp=sharing

Comment 11

[Jim Mathies [:jimm]]

Can't reproduce on Win7 using Nightly 59.

Comment 12

[Jim Mathies [:jimm]]

Can't reproduce in 57.0.2 on Win7 as well.

Comment 13

[Jim Mathies [:jimm]]

Deac, are you running any type of anti-virus software on your device?

Comment 14

[Deac Alin]

We are using Kaspersky Endpoint Security 10 Version 10.3.0.6294 as default anti-virus software.

Comment 15

[Marco Castelluccio [:marco]]

(In reply to Deac Alin-Desktop Engineering QA from comment #14)
> We are using Kaspersky Endpoint Security 10 Version 10.3.0.6294 as default
> anti-virus software.

Can you reproduce if you disable the antivirus?

Comment 16

[Deac Alin]

(In reply to Marco Castelluccio [:marco] from comment #15)
> Can you reproduce if you disable the antivirus?

Hi guys, we cannot disable the antivirus on our work stations, but I managed to find one station, without any antivirus installed yet. Retested the issue on latest Nightly (with no antivirus) Version 57.0.3 Build ID 20171226083017 Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0 and managed to reproduce the issue as described above (Comment 2 and 10), with same error returned in console. Hope this helps.

Comment 17

[Deac Alin]

Sorry, I meant latest Release 57 (not Nightly).

Comment 18

[Jim Mathies [:jimm]]

Deac, can you please post about:support text for an affected system? Thanks.

I still can't repro, specifically on this page - 

https://ro.pinterest.com/pin/372461831663181316/

This first page is https. Clicking on the field image will open an http site in a background tab. This tab loads properly for me.

Comment 19

[Deac Alin]

Attachment: video of the issue 01.18.2018

Hi Jim,

I already shared about:support text in comment 10, but I will post it again as an attachment and also a new screen record made today (reproducing the issue) on latest Release. Hoping that it will help reproducing the problem on your end. Thank you

Comment 20

[Deac Alin]

Attachment: aboutsupportbug1418815.txt