Closed Bug 1441084 Opened 6 years ago Closed 6 years ago

HBO Now/ MLB videos broken due to mixed-content blocker

Categories

(Core :: DOM: Security, defect, P1)

60 Branch
defect

Tracking

()

RESOLVED INVALID

People

(Reporter: purajit, Assigned: jkt)

References

Details

(Whiteboard: [domsecurity-active])

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0) Gecko/20100101 Firefox/60.0
Build ID: 20180225220119

Steps to reproduce:

1. Try to play video on HBO Now on Nightly 60. Make sure to explicitly allow Flash.
2. Change Flash from "Ask to activate" to "Always activate" and temporarily disable protection.


Actual results:

1. HBO Now gave an error 
"Can't Play Video. 
We're having trouble playing this video. Please check your internet connection or try again later."

2. Nightly gives the message "Nightly has blocked parts of this page that are not secure." Temporarily disabling protection allows the video to play, but the video awkwardly skips forward/backward a little every 30 or so seconds.


Expected results:

1. Video should've played, and smoothly without any skips

From the console, looks like mixed active content was blocked. Firefox has been doing this since v23, and so does Chrome. However, only Nightly has an issue with HBO Now - Firefox 58 doesn't:

Loading failed for the <script> with source “https://assets.adobedtm.com/4615156ad6187de5077eba9aa1f362407b42a1c8/satelliteLib-0f2cb626142b735f0ae88b0eb3b09effb4b0dc61.js”.
urn:hbo:episode:GWmCv4w87q8LDfQEAAAKD:122
ReferenceError: _satellite is not defined[Learn More]
urn:hbo:episode:GWmCv4w87q8LDfQEAAAKD:149:1
Blocked loading mixed active content “http://pdl.misc.lv3.hbogo.com/preroll/v2/hbonow/PRO11/hbonow_10867519_PRO11/base_index_c8.m3u8”[Learn More]
urn:hbo:episode:GWmCv4w87q8LDfQEAAAKD
Blocked loading mixed active content “http://hls3.pro11.lv3.cdn.hbogo.com/videos/PRO11/gov2/e5/hbo/feature/810857/473349_c6290ab9f335ddbe04b99dbbb46c8241/02/hbo_473349_c6290ab9f335ddbe04b99dbbb46c8241_PRO11/base_index_c9_14_access.m3u8”[Learn More]
urn:hbo:episode:GWmCv4w87q8LDfQEAAAKD
Hi Asymptotically,

Could you please go to about:config and set "security.mixed_content.upgrade_display_content" to false and see if the issue is still reproducible?
Flags: needinfo?(purajit)
Yes, it's still reproducible
Flags: needinfo?(purajit)
:( 

Since I don't have a subscription for HBO Now, could you please try to find a regression range using Mozregression tool?
Information on the tool is available at http://mozilla.github.io/mozregression/.
Flags: needinfo?(purajit)
Looks like HBO Now didn't like me signing in so many times and I'm currently unable use my account. I know that 2017-06-01 was a good build for sure and 2018-01-01 was a bad one. Sorry :/
Flags: needinfo?(purajit)
Last good revision: bdb2387396b4a74dfefb7c983733eed3625e906a (2017-06-01)
First bad revision: 3d0acce0b1de3581e0c584dd37be696f4bf1bb52 (2018-01-01)
This issue is beyond just HBO, I get it on MLB as well. It seems that Firefox is incorrectly categorizing passive content as active content. This includes font files, crossdomain xml files, and of course video files.
@Matt, could you please post a link to the affected page/video? I'm having a hard time reproducing this issue.
Flags: needinfo?(mattcoz)
It was a live stream that is no longer active, I'll link tomorrow's stream when it starts. I think it may only affect HLS streams as regular videos seem to work.
Flags: needinfo?(mattcoz)
There was no stream today, I'll post it when they do another one.
More information until I got blocked again:

Last good revision: 07484bfdb96bc7297c404e377eea93f1d8ca4442 (2017-07-25)

In this revision, the video plays, but has the skipping issue:
First bad revision: 45b63125a4301eb89e7a4d70d0da1c650f11c7e4 (2017-09-16)

In this revision, I get the issue mentioned in the main bug description:
First bad revision: 3d0acce0b1de3581e0c584dd37be696f4bf1bb52 (2018-01-01)

I don't think I can keep doing this, I might get completely blocked from the service. Is this helpful enough? I'm afraid that this might go public without being looked at.
Btw, the skipping backwards occurs on the public current version of Firefox. I think it's a pretty serious issue - it could turn people off from using Firefox.
Component: Untriaged → Audio/Video: Playback
Product: Firefox → Core
It looks like we're blocking the m3u8 HLS manifests the player is loading as mixed-active content. This should be fixed as a site evangelism issue by just serving them from a secure origin, but I don't know the spec well enough to say if our behaviour there is correct and it would be nice to not break major sites.

Redirecting to DOM for further characterization. The resource itself is declarative, but it's presumedly being loaded and parsed by script.
Component: Audio/Video: Playback → DOM: Security
This should only be happening in Nightly and early betas based on our pref in Bug 1190623
Blocks: 1190623
(In reply to Purajit from comment #14)
> Btw, the skipping backwards occurs on the public current version of Firefox.
> I think it's a pretty serious issue - it could turn people off from using
> Firefox.

We might be mixing two different issues here, and it's hard to tell because both given examples are pay services we don't have accounts on.

The original "mixed content" issue is an experiment (bug 1190623) using the pref in comment 1 that should only affect Nightly and first few beta builds.

If you're seeing skipping in the "Current Version" of Firefox that would be a completely different video stream issue.


(In reply to Ralph Giles (:rillian) | needinfo me from comment #15)
> It looks like we're blocking the m3u8 HLS manifests the player is loading as
> mixed-active content.

How are those being loaded, using XMLHttpRequest() or fetch()? if so those are correctly blocked by the mixed content blocker and should behave the same in other modern browsers.
bug 1416679 covers the "video playing badly" issue so I unduped it.

THIS bug is about the mixed-content blocker breaking the video completely.

Jonathan: We can't break HBO and MLB videos. Unless we can evangelize them to switch their sites we'll have to stick with the badge of SSL-shame approach.
Assignee: nobody → jkt
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P1
Summary: HBO Now mixed active content, video skips → HBO Now/ MLB videos broken due to mixed-content blocker
Whiteboard: [domsecurity-active]
This should be resolved by flipping the pref back in Bug 1445951.
Yes, I can confirm that flipping that option allows the videos to play
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.