Captive portal error page buttons do not work in ESR 68 + advanced panel looks broken
Categories
(Firefox :: Security, defect, P1)
Tracking
()
People
(Reporter: jwcard, Assigned: prathiksha)
References
Details
Attachments
(4 files)
Output of console window
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
Steps to reproduce:
I work in an environment where we have appliances that have certificates that were generated with my own CA. The cert roots were added to the Firefox and I tried setting the about:config security.enterprise_roots.enabled to true with the certificates added to the Windows trust store. I expected to be able to go to the IP address of the site (SAN does not have a IP:IPAddress setting, only a DNS:host entry after accepting the certificate exception.
Actual results:
Firefox 69.0.2 doesn't let me proceed after trying to accept the exception. I am attaching a zip file with the log and a mp4 video of what happens.
Expected results:
This did work previously to 69.0.0. I should be able to open the WEB page for the appliance given the IP address and accepting the exception.
I'm experiencing this issue with 69.0.1. I get a captive portal notification bar at the top of each of my tabs. Clicking on it just takes me to a page that says "success" but does nothing else. A moment later the tab will have the bar again. This did not happen prior to 69.0.1
|
||
Comment 2•5 years ago
|
||
Bugbug thinks this bug should belong to this component, but please revert this change in case of error.
|
||
Comment 3•5 years ago
|
||
Thanks for the report.
Could you also check in the Browser Console after clicking the button if any errors appear?
Tools > Web Developer > Browser Console
|
||
Updated•5 years ago
|
(In reply to Valentin Gosu [:valentin] (he/him) from comment #3)
Thanks for the report.
Could you also check in the Browser Console after clicking the button if any errors appear?
Tools > Web Developer > Browser Console
Hello,
I do not see any errors in the browser console after clicking the "Login" button, and getting redirected to the "Success" page.
Thank you
However, just prior to the bar showing up I did see this show up in the browser console:
NS_ERROR_FAILURE: Component returned failure code 0x80004005 (NS_ERROR_FAILURE) [nsIInterfaceRequestor.getInterface] > network-response-listener.js:86
I do not know if this is related or not though.
In my case, when I click on the "Accept the Risk and Continue" button I also don't see any errors in the console window.
|
|
||
Comment 8•5 years ago
|
||
OK, I think this actually belongs to PSM after seeing the attached video. We are getting stuck on proceeding to the next after pressing "Accept the Risk and Continue" button on the exception error page.
|
|
||
Comment 9•5 years ago
|
||
Can you attach a packet trace? (use e.g. wireshark) Thanks!
|
||
Comment 11•5 years ago
|
||
Thanks all for your work on this. I'm also on 69.0.1 and experiencing this issue. I'm also in a large corporate environment that uses zscalar on our traffic. I suppose its possible I'm in the same corp as jwcard.
|
|
||
Comment 12•5 years ago
|
||
Thanks! This actually just looks like a problem with the error page (normally those buttons aren't even supposed to work in sub-frames due to click-jacking concerns, so I'm not sure how we're expecting the captive portal page to work, honestly...)
|
||
Comment 13•5 years ago
|
||
Nihanth, do you have time to briefly help triage this? :)
Thanks!
|
||
Comment 14•5 years ago
|
||
I'm having the same issue since 69.0.1 and I'm also in a large corp that uses ZScaler. 69.0.0 worked fine for me. Anything I can provide?
|
||
Comment 15•5 years ago
|
||
I think this is a high impact bug for a very small number of users, so marking it P3. I doubt we can get this into 71 this week but we should look at this for 72 and uplift if the fix is not very risky.
|
||
Comment 17•5 years ago
|
||
I'm a user in a large company as well and we have the same issues in our environment. We also use Zscaler but usually don't see anything from it due to SSO (which works in 99% of cases) and local Zscaler Security system tray tool which enforces PAC file and detects if we're in company network or outside it. When this system tray tool is running the proxy settings in FF are greyed out.
|
|
||
Comment 18•5 years ago
|
||
What I forgot so say, http://detectportal.firefox.com/success.txt gives back "success".
|
||
Comment 19•5 years ago
|
||
The issue was fixed for me in either 69.0.1 or 70, but came back once I upgraded to 71. I'm using a Mac with macOs Mojave 10.14.6 and my organization uses Zscaler.
|
||
Comment 21•5 years ago
|
||
I'm also in a large corporation running ZScalar and multiple Mac-based colleagues and I are experiencing this issue. I'm running MacOS 10.14.6 and Firefox 71.0. This issue started many months ago after I updated my browser. In most cases this is just a nuisance message.. However, when I access some IP-based URLs this problem appears to completely restrict me from accessing the webpage, forcing me to open and utilize an alternate browser (which works). When I attempt to access these IP-based URLs, I'm merely seeing a page that says in the body:
Log in to network
You must log in to this network before you can access the Internet.
[ Open Network Login Page] [ Advanced ]
Clicking 'Open Network Login Page' button results in the 'success' URL mentioned above.
I'm hearing from some people in my company that they are giving up on using Firefox until this is fixed. P2 seems appropriate to me, as it seems to be causing complete breakage in some cases resulting in users no longer using Firefox as a browser. This is a serious problem and has been lingering for many months now.
|
|
||
Comment 22•5 years ago
|
||
Nihanth, do you think you can look into this for 74 (maybe with 73 uplift chance)?
|
|
||
Comment 23•5 years ago
|
||
I'm including this as part of a larger roadmap to improve the captive portal experience. I can't work on this before March.
|
Assignee | |
Updated•5 years ago
|
|
||
Comment 24•5 years ago
|
||
(In reply to jwcard from comment #6)
In my case, when I click on the "Accept the Risk and Continue" button I also don't see any errors in the console window.
Some issues addressed in this bug will be fixed by bug 1613477, such as this one.
|
|
Assignee | |
Comment 25•5 years ago
|
||
I think there are two different issues here. The first issue is the same as Bug 1613477 but we cannot directly uplift the patch from that bug to ESR 68 because changes were introduced to error page code after Fx 68 (see Bug 1544564). I'm currently working on a patch to fix the buttons in Cap Portal UI in ESR 68.
The second issue (see Comment 1 and Comment 21) seems to be a problem with the captive portal detection. Still unsure if it is a UI issue or a network issue. We may need steps to reproduce it to better understand it.
|
|
||
Comment 26•5 years ago
|
||
(In reply to :prathiksha from comment #25)
I think there are two different issues here. The first issue is the same as Bug 1613477 but we cannot directly uplift the patch from that bug to ESR 68 because changes were introduced to error page code after Fx 68 (see Bug 1544564). I'm currently working on a patch to fix the buttons in Cap Portal UI in ESR 68.
The second issue (see Comment 1 and Comment 21) seems to be a problem with the captive portal detection. Still unsure if it is a UI issue or a network issue. We may need steps to reproduce it to better understand it.
Prathiksha, thanks for your investigation.
We should either file a new bug for the captive portal detection issue (and make this one as a duplicate to bug 1613477) or rename the title of this bug to clarify the issue we're dealing with.
|
|
Assignee | |
Comment 27•5 years ago
|
||
[Tracking Requested - why for this release]: A couple of buttons on the captive portal page (e.g. the "Accept risk and continue" button) and advanced panel strings are currently broken in ESR 68. Users could be prevented from using the browser because of this (see bug description).
|
|
Assignee | |
Updated•5 years ago
|
|
|
Assignee | |
Comment 28•5 years ago
|
||
|
|
Assignee | |
Comment 29•5 years ago
|
||
[Tracking Requested - why for this release]: This patch fixes the working of buttons like the "Accept risk and continue" button and the "Go Back" button that are in the advanced panel of the captive portal error page. This now makes it possible for users to continue browsing on Firefox by adding cert exceptions, for example, with self-signed certs (see bug description for an example). Also, we add missing strings to the advanced panel to provide more technical info about the cert errors encountered by our users.
Release Note Request (optional, but appreciated)
[Why is this notable]: Users are no longer blocked from using Firefox to connect to their network and start browsing.
[Affects Firefox for Android]: No
[Suggested wording]:
[Links (documentation, blog post, etc)]:
|
|
Assignee | |
Updated•5 years ago
|
|
|
Assignee | |
Comment 30•5 years ago
|
||
Comment on attachment 9127132 [details]
Bug 1586126 - Add relevant info to the advanced section of the captive portal page and make buttons work in esr 68. r?johannh
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: This patch fixes the working of buttons like the "Accept risk and continue" button and the "Go Back" button that are in the advanced panel of the captive portal error page. This now makes it possible for users to login to a captive network and continue browsing on Firefox by adding cert exceptions, for example, with self-signed certs (see bug description for an example). Also, we display missing strings in the advanced panel to provide more technical info about the cert errors encountered by our users.
- User impact if declined: If declined, a user may not be able to login to a captive network and use Firefox esr68 at all in some cases.
- Fix Landed on Version: 75
- Risk to taking this patch: Medium
- Why is the change risky/not risky? (and alternatives if risky): Relatively low risk because the patch is covered by tests
- String or UUID changes made by this patch: None
|
|
Assignee | |
Comment 31•5 years ago
|
||
|
||
Comment 32•5 years ago
|
||
Putting this on the radar for 68.7 which ships at the same time as 75.
|
|
||
Updated•5 years ago
|
|
|
||
Comment 33•5 years ago
|
||
Comment on attachment 9127132 [details]
Bug 1586126 - Add relevant info to the advanced section of the captive portal page and make buttons work in esr 68. r?johannh
fix captive portal error pages, approved for 68.7esr
|
||
Comment 34•5 years ago
|
||
| bugherder uplift | ||
|
|
||
Updated•5 years ago
|
|
||
Updated•5 years ago
|
|
||
Comment 35•5 years ago
|
||
Given the current state of the world, I don't think QA has access to any Captive Portal at the moment to verify this issue as fixed.
jwcard, if you still have aceess to a Captive Portal, could you please lend a helping hand into verifying that this issue is fixed in esr-68?
(the esr68 build containing the fix can be downloaded from here
|
Reporter | |
Comment 36•5 years ago
|
||
Unfortunately, with the current Coronavirus situation I am not in the office and the behavior on the company's VPN is not the same. I will see if I can figure out a way to test it but right now its not possible for me.
|
|
Reporter | |
Comment 37•5 years ago
|
||
Ok, so I was able to get into the office and while I am here I tried out 75.0 and the issue seems to have been resolved.
I connected to my device that has a cert installed using the IP address. I received the warning, as expected, and this time I was able to accept the exception and the UI came up as expected.
Description
•