1574605 - Wrong referer header is added to request

Status: RESOLVED INVALID

(Firefox :: Untriaged, defect)

Description

[meidi.peng]

Attachment: Firefox login issue.zip

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36

Steps to reproduce:

This issue only happens in Firefox 68 and Firefox 68.0.2ESR.

Login to our product fails with 404 file not found, because a particular request that fails was send out with a wrong referer. I have attached screenshots of the particular request and it's preceding requests both in 68ESR and 60.8ESR and you can notice the difference.

The authentication server we are using has not been changed or updated, and the issue is not seen in older Firefox versions or other browsers.

My apologies that I cannot put too many details in this report. It's a severe customer issue. We have lots of customers using our product with Firefox and they are upgrading to use the newest 68 and 68ESR currently.
We understand there has been a lot of changes from 60ESR to 68ESR. But we are not sure what changes might have caused this issue, so if there is a preference flag we can try to switch on/off, can you please let us know as soon as possible?
If you need more information, please let us know as well, and we can work it out.

Actual results:

The request is send with referer header "HOST/bi/?legacyLogin=%2fbi%2fv1%2fdisp%3fb_action%3dxts.run%26c_cmd%3d..%252ftm1%252fweb%252ftm1web.html%26server......" And the server replies with a 404 error.

Expected results:

In 60.8 ESR and older versions previous to Firefox 68, this particular request is send without referer header. Or in Chrome, referer header is set as the preceding request, which is an accepted referer(screenshot of the request in chrome is also attached)

Comment 1

[Daniel Veditz [:dveditz]]

The picture you show of Chrome also has a referrer that looks at least similar -- it's really hard to tell from a picture of truncated headers vs an actual log. Why are you sure the Refer header is the problem? It could be any number of things.

Does the "Tracking Protection" shield show up in the address bar? If it does try turning that off for the site.

60 to 68 is a huge gap. Narrowing down the regression range would help. Try installing Firefox 64 and see if it has the problem. If it's broken work your way backward towards 60 and see which version actually changed things. If Firefox 64 works then move to later versions and see if it broke earlier than Firefox 68. You can find old versions on our archive server: https://archive.mozilla.org/pub/firefox/releases/64.0/

Since you talk about this happening on a customer's server I'm assuming we can't have access to a test account to debug the problem, nor that you'd capture a networking log so we can see what's actually going on. But either of those things would be helpful in narrowing this down.

This was filed as a security bug but does not appear to be a security problem: it's just broken. If we can make this public a broader group of people could help you out (for example, the folks who investigate site compatibility problems).

Comment 2

[meidi.peng]

Hi there,

thank you for your quick response. This issue appears in version 67 as well, but not reproducible in 66. Since there isn't any additional info we can provide, and after further discussion, there probably are other ways to work this out, I think it can be closed for now.

Regards