Https to Http redirect does not work on sandbox level 3 (default)

NEW
Unassigned

Status

()

Core
Security: Process Sandboxing
P3
normal
2 months ago
3 days ago

People

(Reporter: Barb Stewart, Unassigned)

Tracking

({regressionwindow-wanted})

57 Branch
regressionwindow-wanted
Points:
---

Firefox Tracking Flags

(firefox57 affected, firefox58 affected, firefox59 affected)

Details

(Whiteboard: sb+)

Attachments

(4 attachments)

(Reporter)

Description

2 months ago
Created attachment 8929879 [details]
FF bug empty page.jpg

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Build ID: 20171112125346

Steps to reproduce:

I am on Pinterest, I left click on a link, it opens up a new tab and connects me to the link I clicked on.  I am unaware of other sites it happens on.


Actual results:

When the new tab opens, Firefox acts like it opened the page, the link address does appear in the web address, however the page is blank.  
I read through some bugs, I did try the R click and tell it to open in a new tab and that does seem to work, however, that is not how it used to work.


Expected results:

The page should have fully opened in a new tab when I L click on the link.

FYI, this issue is on all 3 of my laptops with the new FF 57.0 update.  I am running Windows 7 on 2 laptops and Windows 10 on 1 laptop.
Tested on Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0 Build ID:20171112125346 and it seems there is a sandbox issue here. It was observed that when redirecting from a "https://" page to a "http" url page (with security.sandbox.content.level = 3 as default in FF) the browser returns a Content Security Policy - "Coudn't parse invalid host" and ignoring the specified page link.

By changing the value of the security.sandbox.content.level to 2, the redirect is done successfully.

Barb Stewart - Thank you for reporting it.
Status: UNCONFIRMED → NEW
Component: Untriaged → Security: Process Sandboxing
Ever confirmed: true
OS: Unspecified → All
Product: Firefox → Core
Hardware: Unspecified → All
Summary: I open a new tab from a link and the page does not open, I come up with a blank page. → Https to Http redirect does not work on sandbox level 3 (default)
Additional STR:
1. Go to https://ro.pinterest.com/pin/647251777668683572/
2. Click on the image

Actual:
As the reporter mentioned - the redirect page is not loaded (blank)
Error in Console:
Content Security Policy: Couldn’t parse invalid host 'report-sample'  (unknown)
Content Security Policy: Ignoring “https://ro.pinterest.com” within script-src: ‘strict-dynamic’ specified
status-firefox57: --- → affected
status-firefox58: --- → affected
status-firefox59: --- → affected
Which image needs to be clicked on that page? There are several images.
(In reply to Alex Gaynor [:Alex_Gaynor] from comment #3)
> Which image needs to be clicked on that page? There are several images.

The link from Step 1 will redirect you to a single image, once you are logged in.

Comment 5

2 months ago
Tracy, can you please try to reproduce.
Flags: needinfo?(twalker)

Comment 6

2 months ago
(In reply to Jim Mathies [:jimm] from comment #5)
> Tracy, can you please try to reproduce.

regression range too if possible!

Comment 7

2 months ago
I am unable to reproduce this on 57 nor only 59 Nightly on Windows 10 (both 64 bit builds)

Alin,  are you reproducing in a clean profile?  If so, can you find the regression range?
Flags: needinfo?(twalker) → needinfo?(alin.deac)
Keywords: regressionwindow-wanted
Created attachment 8935024 [details]
pinterest loading image issue.webm

Managed to reproduce the issue on Windows 7 & 10 on 57 Release, on clean profiles (even without logging in, as i mentioned above, in comment 4) by clicking on any images (used the first 3 images after accessing https://ro.pinterest.com/pin/647251777668683572/). Attached screen-record. Hope this helps. Thank you.
Flags: needinfo?(alin.deac)

Comment 9

2 months ago
Hey Dean, would you please try to generate some http logging for this?

https://developer.mozilla.org/en-US/docs/Mozilla/Debugging/HTTP_logging?redirectlocale=en-US&redirectslug=HTTP_Logging

Also, about:support text please.
Flags: needinfo?(alin.deac)
Hi Jim, here is the link with the information you requested (About:support text and Http activity log)
https://drive.google.com/drive/folders/1KVsuiSvw7qSum0zyKMGKTcl1ZGZQ9GLa?usp=sharing
Flags: needinfo?(alin.deac)

Comment 11

2 months ago
Can't reproduce on Win7 using Nightly 59.

Comment 12

2 months ago
Can't reproduce in 57.0.2 on Win7 as well.

Comment 13

2 months ago
Deac, are you running any type of anti-virus software on your device?
Flags: needinfo?(alin.deac)
We are using Kaspersky Endpoint Security 10 Version 10.3.0.6294 as default anti-virus software.
Flags: needinfo?(alin.deac)
(In reply to Deac Alin-Desktop Engineering QA from comment #14)
> We are using Kaspersky Endpoint Security 10 Version 10.3.0.6294 as default
> anti-virus software.

Can you reproduce if you disable the antivirus?
Flags: needinfo?(alin.deac)
(In reply to Marco Castelluccio [:marco] from comment #15)
> Can you reproduce if you disable the antivirus?

Hi guys, we cannot disable the antivirus on our work stations, but I managed to find one station, without any antivirus installed yet. Retested the issue on latest Nightly (with no antivirus) Version 57.0.3 Build ID 20171226083017 Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0 and managed to reproduce the issue as described above (Comment 2 and 10), with same error returned in console. Hope this helps.
Flags: needinfo?(alin.deac)
Sorry, I meant latest Release 57 (not Nightly).

Updated

11 days ago
Flags: needinfo?(jmathies)
Deac, can you please post about:support text for an affected system? Thanks.

I still can't repro, specifically on this page - 

https://ro.pinterest.com/pin/372461831663181316/

This first page is https. Clicking on the field image will open an http site in a background tab. This tab loads properly for me.
Flags: needinfo?(jmathies) → needinfo?(alin.deac)
Priority: -- → P3
Created attachment 8943576 [details]
video of the issue 01.18.2018

Hi Jim,

I already shared about:support text in comment 10, but I will post it again as an attachment and also a new screen record made today (reproducing the issue) on latest Release. Hoping that it will help reproducing the problem on your end. Thank you
Flags: needinfo?(alin.deac)
Created attachment 8943577 [details]
aboutsupportbug1418815.txt

Updated

4 days ago
Whiteboard: sb+
You need to log in before you can comment on or make changes to this bug.