Air Mozilla live event stream ends with "Blocked by X-Frame-Options-Policy" error
Categories
(Core :: DOM: Security, defect, P1)
Tracking
()
People
(Reporter: akochendorfer, Assigned: ckerschb)
References
(Regression)
Details
(Keywords: regression, Whiteboard: [domsecurity-active])
Attachments
(1 file)
|
350.23 KB,
image/png
|
Details |
Screen Shot 2019-11-21 at 11.09.54 AM.png
When AirMozilla live events end, the page is set to send the viewer to a designated address. We have been using mozillia.org as the address for years without issue. Recently (this week on Nov. 19, 2019), in Nightly ONLY, the attached error screen comes up. This seems to be in MacOS Nightly only, though I cannot test it on Windows (my Windows machine is still in shipping hell from the UK). This does not seem to occur in Firefox Release (ver. 70). Thank you for looking into this!
|
||
Updated•5 years ago
|
|
Assignee | |
Comment 1•5 years ago
|
||
Most likely this one will be fixed by Bug 1593832. Assigning to myself to make sure it gets fixed.
|
|
Assignee | |
Comment 2•4 years ago
|
||
Andy, can you help me verify that the problem was fixed by Bug 1593832?
Once verified we can still not close that bug, because Bug 1593832 introduced different code paths for fission and regular mode. So the bug remains valid for fission.
|
||
Updated•4 years ago
|
|
|
Assignee | |
Comment 3•4 years ago
|
||
(In reply to Christoph Kerschbaumer [:ckerschb] from comment #2)
Andy, can you help me verify that the problem was fixed by Bug 1593832?
|
Reporter | |
Comment 4•4 years ago
|
||
Christoph - Tanek (original bug reported) monitored this in Nightly during the live Weekly Project Meeting and it seems to still be an issue:
"I see the onlineexperiences URL at the top and AirMozilla logo / bar with "TÇ" (presumably me signed in) in top right
however in the frame below it says:
Blocked by X-Frame-Options PolicyAn error occurred during a connection to www.mozilla.org. Nightly prevented this page from loading in this context because the page has an X-Frame-Options policy that disallows it.
pretty sure that's identical to previous failure
just double-checked and "Nightly is up to date", 72.0a1 (2019-12-02)"
|
||
Comment 7•4 years ago
|
||
Tantek, did you report this bug originally? Have you seen this "Blocked by X-Frame-Options-Policy" error lately when watching Air Mozilla streams with Fission enabled?
|
|
||
Comment 8•4 years ago
|
||
ckerschb says we can defer this bug to Fission Nightly (M6).
|
||
Comment 9•4 years ago
•
|
||
I just reproduced that after today's Internal Meeting on Nightly.
|
||
Comment 10•4 years ago
|
||
This happened to me a couple of days ago and again today (with Nightly, macOS), so I had a look at the console:
Load denied by X-Frame-Options: “DENY” from “https://www.mozilla.org/en-US/”, site does not permit any framing. Attempted to load into “https://onlinexperiences.com/scripts/Server.nxp?LASCmd=AI:1;F:US!100&DisplayItem=E359655&RandomValue=1585073030718”.
https://www.mozilla.org/en-US/ returns the header x-frame-options: DENY. So trying to load that in an iFrame on onlinexperiences.com should result in this error, right?
|
||
Comment 11•4 years ago
•
|
||
I hit this as well in latest Linux Nightly on today's meeting, and as far as I know I don't have Fission enabled. (about:support doesn't mention fission, and my about:config fission options are all at their default values, including fission.autostart = false.)
So this specific AirMo issue might not be fission-dependent (or not anymore, at least)?
|
|
||
Comment 12•4 years ago
•
|
||
Yeah, I hit this in Chrome as well when viewing the replay of today's internal meeting, and I verified that the main "pane" on AirMo is hosted in an iframe, and the redirect is just redirecting that iframe (the lower part of the viewport, separate from AirMo's header-bar with its top-left hamburger menu and top-right search icon). And that's why this runs afoul of the X-Frame-Options preferences of mozilla.org, the redirect-target in this case.
It's possible that there are some specific STR that trigger an issue that is specific to Firefox-nightly-with-fission (maybe for a scenario where the whole tab is redirected and mistakenly runs afoul of this, rather than just an iframe being redirected? It looks like that in the comment 0 screenshot, I think).
But the issues that we're seeing here in comment 9 - 11 (for today's meeting at least) are unrelated to fisson (and aren't Firefox-specific); they're simply a combination of the fact that: (1) AirMo is doing its video-end redirect inside an iframe, and (2) it's redirecting to a page that refuses to be framed via X-Frame-Options.
Andy and I discussed this in Slack a bit and I believe he's going to disable the redirect AirMo feature for now, so this will probably end up being fixed via that AirMo change. If there are still changes we want to make on the fission side, though, it might be good to come up with an alternate testcase or alternate non-AirMo-dependent STR, in order to keep track of whatever (if anything) is still broken & needing fixing on the Firefox-with-fission side here.
|
|
Reporter | |
Comment 13•4 years ago
|
||
Webcast page redirect function has been disabled for the March 24, 2020 Internal Meeting. I will disable redirects for future webcasts.
|
|
||
Comment 14•4 years ago
|
||
(In reply to Daniel Holbert [:dholbert] from comment #12)
Andy and I discussed this in Slack a bit and I believe he's going to disable the redirect AirMo feature for now, so this will probably end up being fixed via that AirMo change. If there are still changes we want to make on the fission side, though, it might be good to come up with an alternate testcase or alternate non-AirMo-dependent STR, in order to keep track of whatever (if anything) is still broken & needing fixing on the Firefox-with-fission side here.
Thanks! Sounds like there is no Fission-specific problem here.
(In reply to Andy Kochendorfer from comment #13)
Webcast page redirect function has been disabled for the March 24, 2020 Internal Meeting. I will disable redirects for future webcasts.
@ Andy, can I close this bug (since it's not a Fission bug in Firefox)? Or do you want to move this bug to Air Mozilla's Bugzilla component to track your work to disable redirects for future webcasts?
|
|
||
Comment 16•4 years ago
|
||
(In reply to Chris Peterson [:cpeterson] from comment #14)
(In reply to Daniel Holbert [:dholbert] from comment #12)
Andy and I discussed this in Slack a bit and I believe he's going to disable the redirect AirMo feature for now, so this will probably end up being fixed via that AirMo change. If there are still changes we want to make on the fission side, though, it might be good to come up with an alternate testcase or alternate non-AirMo-dependent STR, in order to keep track of whatever (if anything) is still broken & needing fixing on the Firefox-with-fission side here.
Thanks! Sounds like there is no Fission-specific problem here.
I forgot to remove this bug's Fission milestone since this is not a Fission problem.
|
|
Assignee | |
Comment 17•4 years ago
|
||
(In reply to Andy Kochendorfer from comment #13)
Webcast page redirect function has been disabled for the March 24, 2020 Internal Meeting. I will disable redirects for future webcasts.
I am trying to close out XFO bugs and given your updates I guess this bug has become INVALID.
|
||
Updated•4 years ago
|
|
|
||
Updated•2 years ago
|
Description
•