Closed Bug 154084 Opened 22 years ago Closed 22 years ago

entering/leaving secure site alert pops up incessantly

Categories

(Core Graveyard :: Security: UI, defect, P2)

Product:
Core Graveyard
Component:
Security: UI
Version:
1.0 Branch
Type:
defect

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: bzbarsky, Assigned: KaiE)

References

(Blocks 1 open bug,
URL
)

Details

(Keywords: regression, Whiteboard: [adt1 RTM] [ETA 06/27])

Attachments

(2 files)

HTTP log of steps from comment 0
83.33 KB, text/plain
Details
Patch
908 bytes, patch
javi
: review+
alecf
: superreview+
jud
: approval+
Details | Diff | Splinter Review 
BUILD: anything with the patch for bug 148610 in it

STEPS TO REPRODUCE:
This part is a little tricky:

1)  Turn on notifications for entering/leaving secure sites
2)  Load https://www.rsiaa.org/rsiauth/cgi-bin/home.pl
3)  Log in
4)  Click on the image in the top left corner (link to the same page)

EXPECTED RESULTS:  Page just reloads (possibly from browser cache)

ACTUAL RESULTS:  Popup appears saying you are leaving secure site.  Then popup
                 appears saying you are entering secure site.  Then page
                 reloads.

The same happens when going between any two password-protected pages on this site.

This is a regression caused by the patch for bug 148610 (tested by finding the
regression date, finding the checkins on that day, reverting
nsSecureBrowserUIImpl.{h,cpp} to the state they were in on the evening of the
16th, seeing the bug disappear, applying that patch, seeing the bug reappear).

I suspect that the bug has something to do with the need to send the
Authorization: header, since loading pages on this site that are secure but not
password-protected does not show this problem.

Unfortunately, I cannot allow access to this site, but I am willing to procure
whatever logs and so forth are necessary to investigate this problem....
Oh, this is a problem on both branch and trunk.
Keywords: regression
This log shows that in between the two GET requests for the document there were
in fact no other requests or responses (except for the images and stylesheet of
the doc).  This is just to demonstrate that this is not a misconfigured
redirect or anything like that.
Needless to say, this creates the false impression that the site is sending data
somewhere insecurely when that is in fact not the case....
Keywords: nsbeta1
Keywords: nsbeta1mozilla1.0.1, nsbeta1+
Whiteboard: [adt2 RTM] [ETA Needed]
Boris, I need your assistance to produce more logs.
Can you please run the test again, and run once with
  NSPR_LOG_MODULES="nsSecureBrowserUI:5"

I have been trying to reproduce this problem, but I can't.
I have provided a test case at:
  https://www.kuix.de/misc/test25/a/

Those links involve navigating between pages protected by the same password, and
pages protected by different passwords. I don't ever see an additional security
warning but the first.

I will now have a closer look at the attached http log.
Status: NEW → ASSIGNED
I need more input.

Whatever test page I create, I can not reproduce it. I even updated my test page
to include all the images and the stylesheet that are loaded on the reported page.

I was testing on Linux, as the reporter was. Besides testing my own build, with
and without the checkins from the previous days, I also tested the branch build
from 6/20 from the ftp server. None showed the reported problem.

I only can speculate at the moment. Are the links on that site using JavaScript?
Could it be the same problem that was meanwhile fixed with 145730? Or could it
be the same problem that was meanwhile fixed with 148981/140836?

I'm now able to reproduce the bug with the www.thawte.com website.
Attached patch PatchSplinter Review 
This fixes the problem for me.
The cause of the problem is a behaviour of the document loader that I did not
expect, and that was not seen previously during testing.

The lock icon tracking code extracts the security state at the time it is seeing
"request stop notifications" from the document loader.

The implementation of the lock icon tracking code assumes, the stop for the top
level document request will be received, before the first stop of a sub-document
will be received.

Tests with www.thawte.com show, that this is assumption is not correct. When
clicking on a particular link on that site, that is a link to self, the
following happens:
- the request for loading the toplevel document starts
- the request for loading the stylesheet starts
- the request for loading the stylesheet stops
Rick, is this allowed/expected behaviour?

At the time the loading of the stylesheet stops, the code wants to update to the
new state.

However, the implementation assumes, the new top level state has already been
obtained. This is not true in the above scenario. Instead, the variable, which
indicates the top level state, will have been reset to the "insecure" state.
This reset is done each time loading of a new top level document starts. At the
time the stop for the stylesheet is seen, the insecure state will be used.

The solution is simple. Since the newest work on the lock icon code, it is no
longer necessary to reset the variable each time a new top level document loads.
It is sufficient, to only set this variable, when a new top level state is seen.
The variable can stay at the previously known top level state. Whenever we see a
stop for either the top level or a sub level document, the states will be
combined to make the lock icon decision, and it will get compared to the current
lock icon state.

The attached fix does no longer reset the top level state to insecure each time
a toplevel document starts. This is ok, because there is code in effect, that
will set the top level lock icon state each time loading a top level document stops.

Updated test case.

Make sure you have a personal log in to www.thawte.com

Go to:
  https://www.thawte.com/cgi/personal/contents.exe

Enter your log in data and wait for the page to load.

In the second row from the top, click on "Personal Certs" which is the link to
the same page as being displayed.
URL: https://www.rsiaa.org/rsiauth/cgi-bin...https://www.thawte.com/cgi/personal/c...
Blocks: lockicon
Comment on attachment 89105 [details] [diff] [review]
Patch

r=javi
Attachment #89105 - Flags: review+
Yep.  That fixes the problem on the original site I saw it on to.  Thanks!
Alec or Rick, could you please sr?

Upgrading to [adt1 rtm]
Whiteboard: [adt2 RTM] [ETA Needed] → [adt1 RTM] [ETA Needed]
Comment on attachment 89105 [details] [diff] [review]
Patch

sr=alecf
Attachment #89105 - Flags: superreview+
Checked in to trunk.
Keywords: adt1.0.1
This has been checked into the trunk. Resolving as fixed.

junruh - can you verify this fix on the trunk tomorrow? thanks!
Blocks: 143047
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Whiteboard: [adt1 RTM] [ETA Needed] → [adt1 RTM] [ETA 06/27]
Verified on 6/26 Win2000 trunk. Tested after logging into E-Trade, and also at 
Thawte - https://www.thawte.com/cgi/personal/contents.exe
Status: RESOLVED → VERIFIED
OS: Linux → All
Priority: -- → P2
Hardware: PC → All
Version: unspecified → 2.3
Adding adt1.0.1+ on behalf of the adt for checkin to the 1.0 branch.  Please get
drivers approval before checking in. When you check this into the branch, please
change the mozilla1.0.1+ keyword to fixed1.0.1
Keywords: adt1.0.1adt1.0.1+
Attachment #89105 - Flags: approval+
please checkin to the 1.0.1 branch. once there, remove the "mozilla1.0.1+"
keyword and add the "fixed1.0.1" keyword.
Keywords: mozilla1.0.1mozilla1.0.1+
Checked in to 1_0 branch.
Keywords: adt1.0.1+, mozilla1.0.1+fixed1.0.1
Verified on 6/27 branch.
Keywords: fixed1.0.1verified1.0.1
This recently regressed on the 1.7 and aviary1.0.1 branches. Filed a new bug
283201 just to keep things cleaner.
Product: PSM → Core
Version: psm2.3 → 1.0 Branch
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: