Open
Bug 1418815
Opened 7 years ago
Updated 2 years ago
Https to Http redirect does not work on sandbox level 3 (default)
Categories
(Core :: Security: Process Sandboxing, defect, P3)
Tracking
()
NEW
People
(Reporter: booboota2, Unassigned)
Details
(Keywords: regressionwindow-wanted, Whiteboard: sb+)
Attachments
(4 files)
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0 Build ID: 20171112125346 Steps to reproduce: I am on Pinterest, I left click on a link, it opens up a new tab and connects me to the link I clicked on. I am unaware of other sites it happens on. Actual results: When the new tab opens, Firefox acts like it opened the page, the link address does appear in the web address, however the page is blank. I read through some bugs, I did try the R click and tell it to open in a new tab and that does seem to work, however, that is not how it used to work. Expected results: The page should have fully opened in a new tab when I L click on the link. FYI, this issue is on all 3 of my laptops with the new FF 57.0 update. I am running Windows 7 on 2 laptops and Windows 10 on 1 laptop.
Tested on Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0 Build ID:20171112125346 and it seems there is a sandbox issue here. It was observed that when redirecting from a "https://" page to a "http" url page (with security.sandbox.content.level = 3 as default in FF) the browser returns a Content Security Policy - "Coudn't parse invalid host" and ignoring the specified page link. By changing the value of the security.sandbox.content.level to 2, the redirect is done successfully. Barb Stewart - Thank you for reporting it.
Status: UNCONFIRMED → NEW
Component: Untriaged → Security: Process Sandboxing
Ever confirmed: true
OS: Unspecified → All
Product: Firefox → Core
Hardware: Unspecified → All
Summary: I open a new tab from a link and the page does not open, I come up with a blank page. → Https to Http redirect does not work on sandbox level 3 (default)
Additional STR: 1. Go to https://ro.pinterest.com/pin/647251777668683572/ 2. Click on the image Actual: As the reporter mentioned - the redirect page is not loaded (blank) Error in Console: Content Security Policy: Couldn’t parse invalid host 'report-sample' (unknown) Content Security Policy: Ignoring “https://ro.pinterest.com” within script-src: ‘strict-dynamic’ specified
Comment 3•7 years ago
|
||
Which image needs to be clicked on that page? There are several images.
(In reply to Alex Gaynor [:Alex_Gaynor] from comment #3) > Which image needs to be clicked on that page? There are several images. The link from Step 1 will redirect you to a single image, once you are logged in.
Comment 6•7 years ago
|
||
(In reply to Jim Mathies [:jimm] from comment #5) > Tracy, can you please try to reproduce. regression range too if possible!
Comment 7•7 years ago
|
||
I am unable to reproduce this on 57 nor only 59 Nightly on Windows 10 (both 64 bit builds) Alin, are you reproducing in a clean profile? If so, can you find the regression range?
Flags: needinfo?(twalker) → needinfo?(alin.deac)
Keywords: regressionwindow-wanted
Managed to reproduce the issue on Windows 7 & 10 on 57 Release, on clean profiles (even without logging in, as i mentioned above, in comment 4) by clicking on any images (used the first 3 images after accessing https://ro.pinterest.com/pin/647251777668683572/). Attached screen-record. Hope this helps. Thank you.
Flags: needinfo?(alin.deac)
Comment 9•7 years ago
|
||
Hey Dean, would you please try to generate some http logging for this? https://developer.mozilla.org/en-US/docs/Mozilla/Debugging/HTTP_logging?redirectlocale=en-US&redirectslug=HTTP_Logging Also, about:support text please.
Flags: needinfo?(alin.deac)
Comment 10•7 years ago
|
||
Hi Jim, here is the link with the information you requested (About:support text and Http activity log) https://drive.google.com/drive/folders/1KVsuiSvw7qSum0zyKMGKTcl1ZGZQ9GLa?usp=sharing
Flags: needinfo?(alin.deac)
Comment 11•7 years ago
|
||
Can't reproduce on Win7 using Nightly 59.
Comment 12•7 years ago
|
||
Can't reproduce in 57.0.2 on Win7 as well.
Comment 13•7 years ago
|
||
Deac, are you running any type of anti-virus software on your device?
Flags: needinfo?(alin.deac)
Comment 14•7 years ago
|
||
We are using Kaspersky Endpoint Security 10 Version 10.3.0.6294 as default anti-virus software.
Flags: needinfo?(alin.deac)
Comment 15•7 years ago
|
||
(In reply to Deac Alin-Desktop Engineering QA from comment #14) > We are using Kaspersky Endpoint Security 10 Version 10.3.0.6294 as default > anti-virus software. Can you reproduce if you disable the antivirus?
Updated•6 years ago
|
Flags: needinfo?(alin.deac)
Comment 16•6 years ago
|
||
(In reply to Marco Castelluccio [:marco] from comment #15) > Can you reproduce if you disable the antivirus? Hi guys, we cannot disable the antivirus on our work stations, but I managed to find one station, without any antivirus installed yet. Retested the issue on latest Nightly (with no antivirus) Version 57.0.3 Build ID 20171226083017 Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0 and managed to reproduce the issue as described above (Comment 2 and 10), with same error returned in console. Hope this helps.
Flags: needinfo?(alin.deac)
Comment 17•6 years ago
|
||
Sorry, I meant latest Release 57 (not Nightly).
Updated•6 years ago
|
Flags: needinfo?(jmathies)
Comment 18•6 years ago
|
||
Deac, can you please post about:support text for an affected system? Thanks. I still can't repro, specifically on this page - https://ro.pinterest.com/pin/372461831663181316/ This first page is https. Clicking on the field image will open an http site in a background tab. This tab loads properly for me.
Flags: needinfo?(jmathies) → needinfo?(alin.deac)
Priority: -- → P3
Comment 19•6 years ago
|
||
Hi Jim, I already shared about:support text in comment 10, but I will post it again as an attachment and also a new screen record made today (reproducing the issue) on latest Release. Hoping that it will help reproducing the problem on your end. Thank you
Flags: needinfo?(alin.deac)
Comment 20•6 years ago
|
||
Updated•6 years ago
|
Whiteboard: sb+
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•