Open
Bug 1424397
Opened 8 years ago
Updated 3 years ago
Signing into FxA in a webextension results in "your connection is not secure"
Categories
(WebExtensions :: General, defect, P3)
Tracking
(firefox59 affected)
REOPENED
| Tracking | Status | |
|---|---|---|
| firefox59 | --- | affected |
People
(Reporter: ssage, Unassigned)
Details
(Whiteboard: [identity])
Attachments
(2 files, 1 obsolete file)
Screen Shot 2017-12-07 at 6.45.31 PM.png
In running a local instance of Lockbox, an embedded webextension, I cannot complete the Firefox Account sign-in flow. I am typing in a valid username and password. But I get back the "your connection is not secure" instead of the window closing and completing the authentication, as expected.
It's important to note that the extension is using browser.identity.launchWebAuthFlow().
Please let me know what additional details are needed to help locate this finding and resolve it.
|
||
Comment 1•8 years ago
|
||
Can you point us to the source of Lockbox please? I was going to suggest it was bug 1416872, but that landed a few weeks ago.
Whiteboard: [identity]
|
||
Comment 2•8 years ago
|
||
The source file interacting with browser.identity is: https://github.com/mozilla-lockbox/lockbox-extension/blob/e13509bf3b8b2d29c82e85cae272e321a5ce45ff/src/webextension/background/accounts/index.js
The line where we call launchWAF is: https://github.com/mozilla-lockbox/lockbox-extension/blob/e13509bf3b8b2d29c82e85cae272e321a5ce45ff/src/webextension/background/accounts/index.js#L128
|
|
||
Comment 3•8 years ago
|
||
As far as I can tell, observing Sandy, the promise from launchWebAuthFlow() is never fulfilled.
The redirect URL we send matches browser.identity.getRedirectURL(), and matches what is registered with FxA production.
|
|
||
Comment 4•8 years ago
|
||
Using lockbox from the trunk of github I can't reproduce this on OS X yet on nightly or dev edition. Am I missing a step?
|
|
||
Comment 5•8 years ago
|
||
(In reply to Andy McKay [:andym] from comment #4)
> Using lockbox from the trunk of github I can't reproduce this on OS X yet on
> nightly or dev edition. Am I missing a step?
Most of us can't reproduce it either )-: Those that can reproduce it, it happens every single time.
We are starting to see it more regularly from tox-based integration tests on a specific branch (https://github.com/mozilla-lockbox/lockbox-extension/tree/331-photon-updates-2nd-pass), but I'm not yet sure how consistent that is.
|
|
||
Updated•8 years ago
|
Priority: -- → P3
|
||
Comment 6•8 years ago
|
||
Has there been any further or more consistent reproduction of this problem?
Flags: needinfo?(ssage)
|
Reporter | |
Comment 7•8 years ago
|
||
After updating Nightly, I'm no longer able to replicate this issue.
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(ssage)
Resolution: --- → INVALID
|
||
Comment 8•8 years ago
|
||
I just reproduced this on latest nightly, attaching a screenshot with the "advanced" section expanded. The error text is:
2aa95473a5115d5f3deb36bb6875cf76f05e4c4d.extensions.allizom.org uses an invalid security certificate.
The certificate is only valid for the following names:
*.allizom.org, allizom.org
Error code: SSL_ERROR_BAD_CERT_DOMAIN
|
|
||
Updated•8 years ago
|
Status: RESOLVED → REOPENED
Resolution: INVALID → ---
|
|
||
Comment 9•8 years ago
|
||
And I mean, the error isn't wrong - *.allizom.org is indeed not a valid certificate for blah.extensions.allizom.org because the wildcard can only match a single dotted component. So I assume that what happened here, is that we somehow failed to intercept the redirect to 2aa95473a5115d5f3deb36bb6875cf76f05e4c4d.extensions.allizom.org, loaded it as web content, and and that legitimately errored out.
Interestingly, this profile now seems to be stuck in a bad state. If I restart and try to sign in to lockbox again, it will:
* Open the OAuth popup as expected
* Allow me to enter my password expected and submit it
* The popup disappears as expected
* But lockbox remains "locked", indicating the login didn't complete
If I click on the lockbox toolbar button again, it shows me the "signin" button. But clicking the button does nothing, possibly because it thinks there's an OAuth login flow already in-flight.
One final note: I was doing some testing which involved me signing in to Lockbox (successfully IIRC) on Nightly, then I opened the profile on Release and tried to login again, then I tried again on Nightly and got this error.
|
|
||
Comment 10•8 years ago
|
||
The behaviour seems to persist after taking a clean copy of the profile, so I'm attaching a tarball here in case it helps debugging.
|
|
||
Comment 11•8 years ago
|
||
And here's the exciting Browser Console output from startup through to attempting to signin to Lockbox:
Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src”). Source: call to eval() or related function blocked by CSP. background.js:258
Intl.PluralRules already exists, and has NOT been replaced by this polyfill index.js:25
To force, set a global ClobberIntlPluralRules = true
Invalid extra key for event ["lockboxv1", "click", "unlockSignin"]. (unknown)
[Exception... "Component returned failure code: 0xc1f30001 (NS_ERROR_NOT_INITIALIZED) [nsIMessageSender.sendAsyncMessage]"
nsresult: "0xc1f30001 (NS_ERROR_NOT_INITIALIZED)" location: "JS frame :: resource://gre/modules/ExtensionUtils.jsm ::
sendAsyncMessage :: line 542" data: no] (unknown)
sendAsyncMessage resource://gre/modules/ExtensionUtils.jsm:542:51
_handleMessage/deferred.promise< resource://gre/modules/MessageChannel.jsm:983:9
<FxA ASCII-art easteregg here>
Key event not available on some keyboard layouts: key=“i” modifiers=“accel,alt,shift” id=“key_browserToolbox” browser.xul
Invalid extra key for event ["lockboxv1", "fxaFailed", "accounts"].
TelemetryStopwatch: key "TELEMETRY_PENDING_LOAD_MS" was already initialized TelemetryStopwatch.jsm:352
TelemetryStopwatch: requesting elapsed time for nonexisting stopwatch. Histogram: "TELEMETRY_PENDING_LOAD_MS", key: "null" TelemetryStopwatch.jsm:373
Clamped larged numeric value. (unknown)
Clamped larged numeric value. (unknown)
Clamped larged numeric value. (unknown)
Then trying to log in again, which doesn't even launch the FxA popup window:
Clamped larged numeric value. (unknown)
Invalid extra key for event ["lockboxv1", "click", "unlockSignin"]. (unknown)
Invalid extra key for event ["lockboxv1", "fxaFailed", "accounts"]. (unknown)
Error: The operation failed for an operation-specific reason undefined
An error occurred executing the cmd_copy command: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIController.doCommand]" nsresult: "0x80004005 (NS_ERROR_FAILURE)" location: "JS frame :: chrome://global/content/globalOverlay.js :: goDoCommand :: line 84" data: no] globalOverlay.js:86
Clamped larged numeric value. (unknown)
|
|
||
Comment 12•8 years ago
|
||
Removing and re-installing the lockbox webextension appears to have unstuck it; not sure if I got a new version but this profile was created pretty recently.
|
|
||
Comment 13•8 years ago
|
||
Hrm, it appears that my secondary issue here (with Lockbox silently getting stuck after the login) may be a separate issue, rather than a symptom of the certificate error I was seeing:
https://github.com/mozilla-lockbox/lockbox-extension/issues/577
Sorry for the noise; I'm going to hide the attached profile because I think it only demonstrates the above unrelated issue, not the issue in this bug.
|
|
||
Updated•8 years ago
|
Attachment #8954248 -
Attachment is obsolete: true
|
||
Updated•7 years ago
|
Product: Toolkit → WebExtensions
|
|
||
Updated•3 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•