1556827 - Unexpected error when attempting to follow login link on ppocu.org

Status: VERIFIED FIXED

(Core :: DOM: Security, defect, P3)

Description

[cclouse]

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36 OPR/60.0.3255.109

Steps to reproduce:

Go to PPOCU.ORG
Click the first Home banking button

Actual results:

The Application has encountered an unexpected error.

If this error persists please contact Customer Support.
Error Information:
ErrorCode: 404
URI: /Centryx/servlet/com.sos.webteller.WebTellLogin
Cause: null

Tue Jun 04 14:39:45 EDT 2019

Expected results:

A login page should have shown up

Comment 1

[Alin Ilea, Desktop Test Engineering]

Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0

Hi,

I have managed to reproduce this issue on latest FF release (67.0.2) and latest Nightly build 69.0a1 (2019-06-11) using Windows 10, Ubuntu 18 and Mac OS 10.12
I will move this over to a component so developers can take a look over it. If is not the correct component please feel free to change it to an appropriate one.

Note that if the user opens "Home banking login" in a new tab (right click on "Home banking login" hyperlink, copy link location and paste it in a new tab) the user is redirected to the Login page as expected. With "Open link in new tab" by right click on Home banking login also does not work, just with copy-paste link it works.

Thank you for the report.

Comment 2

[Alice Wyman]

This is not a support.mozilla.org bug. It appears to be a Product: Web Compatibility bug since it involves an issue with a specific site or sites. The bug summary indicates "websites" but you only mentioned the PPOCU.ORG website.

For the record, I do see the issue in Firefox 67.0.2 (Windows 7 64-bit) when I visit http://ppocu.org/ and click on the Home Banking login link, which is https://www.secure-ppocu.org/ ; however, the problem does not occur in Firefox 66.0.5 or in Firefox 60.7.0esr (32-bit versions on 64-bit Windows 7). The site also works correctly in the current versions of Google Chrome and SeaMonkey. In those cases, https://www.secure-ppocu.org/ redirects to the login page, https://www.secure-ppocu.org/Centryx/servlet/com.sos.webteller.accountaccess.LoginFrame?SOSSessionID= <snip>

Comment 3

[cclouse]

The fact that you are saying that this is basically not your problem is unacceptable. I have contacted the IT department of the company who handles the online banking for us and there is nothing wrong with their website which I believe because this problem does not occur on any other browsers such as Microsoft edge, Internet explorer, and Opera as well as the other two you mentioned. If this was not an issue on earlier versions of Firefox, that tells me there is an issue with your software update which most of our members who use this browser have gone through at this point. I have given our members the instructions on how to get to our online banking without clicking on the button that redirects them. These instructions were originally given to me by the IT department of the company who handles the online banking. I am not sure what other websites our members were having issues with because it has been over a week since I originally reported this problem and this specific redirection of the website is what was most important, but I highly doubt that this is the only website on which this is happening. This is not a product issue. I believe this is a software capability issue and I am just trying to report it so it can be fixed in the future.

Comment 4

[Alice Wyman]

(In reply to cclouse from comment #3)

The fact that you are saying that this is basically not your problem is unacceptable.

No one said that this was not a Firefox problem. This bug as been confirmed in Firefox 67 and above. I'm not involved in Web Compatibility issues so I'll stop following this bug but it remains open.

Comment 5

[cclouse]

I apologize. That is the way it seemed when you said, "This is not a support.mozilla.org bug." Please direct me to the appropriate person if you could.

Thank you.

Comment 6

[Mike Taylor [:miketaylr]]

Hi cclouse. Did this issue appear in a specific version of Firefox (67?), or is the timing unrelated? Thanks.

Comment 7

[cclouse]

I'm not sure if you're able to see any of the previous comments, but Alyce Wyman said the following:

"For the record, I do see the issue in Firefox 67.0.2 (Windows 7 64-bit) when I visit http://ppocu.org/ and click on the Home Banking login link, which is https://www.secure-ppocu.org/ ; however, the problem does not occur in Firefox 66.0.5 or in Firefox 60.7.0esr (32-bit versions on 64-bit Windows 7). The site also works correctly in the current versions of Google Chrome and SeaMonkey. In those cases, https://www.secure-ppocu.org/ redirects to the login page, https://www.secure-ppocu.org/Centryx/servlet/com.sos.webteller.accountaccess.LoginFrame?SOSSessionID= <snip>"

This is the first time my members have made a complaint about this issue so I am assuming it is just with the newest version, but I can't be 100% sure without testing out other versions.

Comment 8

[Mike Taylor [:miketaylr]]

Thanks, I had missed that comment.

Comment 9

[Mike Taylor [:miketaylr]]

STR:

1. visit http://ppocu.org
2. click on Home Banking Login (top left)

Expected: it works
Actual: unexpected error page.

Note: the button links to https://www.secure-ppocu.org/, and if you visit that directly it works as expected.

Comment 10

[Mike Taylor [:miketaylr]]

Thomas, it looks like 1517703 broke being able to follow the link to log in. Can you take a look?

17:22.81 INFO: Last good revision: 2d0505c5268166d02124627e1d60b06fd9877965
17:22.81 INFO: First bad revision: 64c8b805491a53f1f5e59f600a423492e1a14fbb
17:22.81 INFO: Pushlog:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=2d0505c5268166d02124627e1d60b06fd9877965&tochange=64c8b805491a53f1f5e59f600a423492e1a14fbb

Comment 11

[Liz Henry (:lizzard) (relman/hg->git project)]

Time is pretty tight to get a fix into 68, but we could still take a patch for 69.

Comment 12

[Thomas Nguyen (:tnguyen)]

Attachment: Bug 1556827 - Dont send referrer in case of meta refresh redirect

Comment 13

[Olli Pettay [:smaug][bugs@pettay.fi]]

NI for a ph comment.

Comment 14

[Thomas Nguyen (:tnguyen)]

Thanks smaug for looking at this bug. I updated a ph request.

Comment 15

[Pulsebot]

Pushed by tnguyen@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/ca50879f67b3
Dont send referrer in case of meta refresh redirect r=smaug

Comment 16

[Oana Pop-Rus]

https://hg.mozilla.org/mozilla-central/rev/ca50879f67b3

Comment 17

[Ryan VanderMeulen [:RyanVM]]

Seems a bit much to take in a 68 dot release, but is this something we should consider fixing in ESR68 before we start seeing a lot of migration over to it from ESR60?

Comment 18

[Thomas Nguyen (:tnguyen)]

Attachment: 0001-Bug-1556827-Dont-send-referrer-in-case-of-meta-refre.patch

Wrong file

Comment 19

[Thomas Nguyen (:tnguyen)]

Attachment: 0001-Bug-1556827-Dont-send-referrer-in-case-of-meta-refre.patch

ESR Uplift Approval Request

• If this is not a sec:{high,crit} bug, please state case for ESR consideration: The patch changes the behavior of sending referrer in meta refresh case
• User impact if declined: Some picky servers will reject http request that includes the wrong referrer in meta refresh (for example ppocu.org)
• Fix Landed on Version: 69
• Risk to taking this patch: Low
• Why is the change risky/not risky? (and alternatives if risky): This is the regression of commit https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=2d0505c5268166d02124627e1d60b06fd9877965&tochange=64c8b805491a53f1f5e59f600a423492e1a14fbb
  Our old behavior is not sending referrer in meta refresh. The patch reverts to old behavior
• String or UUID changes made by this patch: No

Comment 20

[Ryan VanderMeulen [:RyanVM]]

Comment on attachment 9078606 [details] [diff] [review]
0001-Bug-1556827-Dont-send-referrer-in-case-of-meta-refre.patch

Fixes a regression causing the inability to log in to some sites. Approved for 68.1esr. We should probably try to get some verification of this fix also.

Comment 21

[Mike Taylor [:miketaylr]]

We should probably try to get some verification of this fix also.

The STR from Comment #9 no longer reproduce in Nightly, i.e., this patch fixed the bug as reported.

Comment 22

[Alin Ilea, Desktop Test Engineering]

Verified - fixed on latest Beta 69.0b5, tested on Windows 10, Mac OS 10.13 and Ubuntu 18.04.

Comment 23

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

https://hg.mozilla.org/releases/mozilla-esr68/rev/962a469c7f36

Comment 24

[Alin Ilea, Desktop Test Engineering]

Verified - fixed on latest 68.1.0esr, tested on Windows 10, Mac OS 10.13 and Ubuntu 18.04.