Closed Bug 1433687 Opened 6 years ago Closed 6 years ago

"Content-Security-Policy: upgrade-insecure-requests" header on initial page causes redirects error on link open that redirects to HTTP

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Version:
58 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1422284
Tracking Flags:
Tracking Status
firefox59 --- wontfix
firefox60 --- fix-optional

People

(Reporter: sir.precious, Unassigned)

References

(
URL
)

Details

(Keywords: regression)

Attachments

(1 file)

Screen Shot 2018-01-27 at 9.26.54 PM.png
606.02 KB, image/png
Details 
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3274.0 Safari/537.36

Steps to reproduce:

1. I opened secure page_a on my site that has "Content-Security-Policy: upgrade-insecure-requests" header
2. Clicked https link to page_b -- the request was redirected with status 302 to http version of page_b (since https has not been fully implemented yet for that page)


Actual results:

I got "The page isn’t redirecting properly" error in Firefox. In dev toolbar I see that the request is upgraded to secure again and again so redirect happens many times and eventually browser shows the mentioned error.
So what happens here:
1. Link "https://my-site/page_b" is clicked on page with url "https://my-site/page_a" and header "Content-Security-Policy: upgrade-insecure-requests" set
2. Web-server returns 302 redirect to page "http://my-site/page_b"
3. URL "http://my-site/page_b" is upgraded by browser to secure version "https://my-site/page_b"
4. Request to "https://my-site/page_b" is made
5. Steps 2-4 are repeated many times until redirects limit is reached; error is shown.



Expected results:

Insecure version of page_b should be opened.

Some sites cannot switch to https at once entirely and do gradual migration, switching pages from http to https one by one. In our case all links on a page have the same scheme as page itself (so all links on https page have https scheme, even if they redirect to http page when clicked). So https->http redirect for them should not be upgraded since it breaks the site and renders meaningless "Content-Security-Policy: upgrade-insecure-requests" header which is intended to mitigate process of migration from http to https.
Here is a demo page that I've created to demonstrate the bug https://precious.alwaysdata.net/cgi-bin/page_a.py

I've also checked this case in browsers Chrome and Safari and it works without issues there.
URL: https://precious.alwaysdata.net/cgi-b...
Has Regression Range: --- → irrelevant
Has STR: --- → yes
Component: Untriaged → DOM: Security
OS: Unspecified → All
Product: Firefox → Core
Hardware: Unspecified → All
The bug is also reproducible in beta version Firefox 59.0b4 and nightly build Firefox 60.0a1
Looks like the bug appeared first in Firefox version 57.
https://hg.mozilla.org/integration/mozilla-inbound/json-pushes?changeset=b91870ea1243520ffa057fad90a655f24a398d5d&full=1
Blocks: 1391011
Has Regression Range: irrelevant → yes
status-firefox59: --- → affected
status-firefox60: --- → affected
Flags: needinfo?(ckerschb)
Keywords: regression
Hey Vsevolod, thanks for reporting. That sounds very much similar to the problem reported within Bug 1422284. In fact, the STRs within comment 4 [1] are identical as far as I can tell. If not please let me know. Otherwise please follow Bug 1422284 for progress. I will have someone look into the problem ASAP.

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1422284#c4
Flags: needinfo?(ckerschb)
Hello Christoph. Yes, looks like the summary in comment 4 in Bug 1422284 is applicable to the current issue.
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: