Closed Bug 1612936 Opened 5 years ago Closed 5 years ago

Fx follows redirect contained in code 429 response

Categories

(Core :: Networking: HTTP, defect)

Product:
Core
Component:
Networking: HTTP
Version:
74 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: hwine, Unassigned)

References

Details

Attachments

(1 file)

HAR trace showing issue
13.47 KB, text/plain
Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0

Steps to reproduce:

  1. Used up all login tries for https://sql.telemetry.mozilla.org (50/hour is limit)
  2. Tried to log in again.

Actual results:

Received 429 response, with redirect URL
Firefox follows redirect URL, which also returns 429 response

Expected results:

429 response is expected, however following the redirect provided by a 429 response seems wrong.

See GitHub Issue comment for background if desired.

Component: Untriaged → Networking: HTTP
Product: Firefox → Core
See Also: → https://github.com/mozilla/redash/issues/999

I saw one 302 response in the HAR file. Maybe this reaponse causes the redirection?
Also, is there an easy way to reproduce this?

Flags: needinfo?(hwine)

(In reply to Kershaw Chang [:kershaw] from comment #1)

I saw one 302 response in the HAR file. Maybe this reaponse causes the redirection?

The 302 status is for the request for the favicon.ico. Note that a redirect is a proper part of the authentication procedure.

Also, is there an easy way to reproduce this?

Oddly, not. If you try with curl, you'll create the condition -- but only for curl:

for x in {1..53} ; do echo -n . ; curl -I -L 'https://sql.telemetry.mozilla.org/' &>/dev/null; done; echo

After the above, a request from the browser still worked.

I guessed it tracked the IP user-agent, but that didn't work either. I copy/pasted the user agent from my current browser session:

for x in {1..53}; do echo -n . ; curl &>/dev/null -v --user-agent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0' 'https://sql.telemetry.mozilla.org/' ; done ; echo
Flags: needinfo?(hwine)

I am sure we do not redirect on 429.
I am no sure how you have read this from har file.
I just see one redirect 302 that also contains body " "content": {
"mimeType": "text/html",
"size": 141,
"text": "<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">\n<title>429 Too Many Requests</title>\n<h1>Too Many Requests</h1>\n<p>50 per 1 hour</p>\n"
"
This is 302.

I will close this bug. If you think that it is wrong please provide a http log (instructions are here)

The redirect:

    "response": {
      "status": 302,
      "statusText": "Found",
      "httpVersion": "HTTP/2.0",
      "headers": [
        {
          "name": "server",
          "value": "openresty/1.15.8.1"
        },
        {
          "name": "date",
          "value": "Mon, 03 Feb 2020 16:00:18 GMT"
        },
        {
          "name": "content-type",
          "value": "text/html; charset=utf-8"
        },
        {
          "name": "content-length",
          "value": "337"
        },
        {
          "name": "location",
          "value": "https://sql.telemetry.mozilla.org/login?next=https%3A%2F%2Fsql.telemetry.mozilla.org%2Ffavicon.ico"
        },
        {
          "name": "x-frame-options",
          "value": "deny"
        },
        {
          "name": "x-xss-protection",
          "value": "1; mode=block"
        },
        {
          "name": "x-content-type-options",
          "value": "nosniff"
        },
        {
          "name": "x-download-options",
          "value": "noopen"
        },
        {
          "name": "content-security-policy",
          "value": "; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-ancestors 'none'; default-src 'self'; frame-src redash.io; img-src 'self' http: https: data:; object-src 'none'; font-src 'self' data:"
        },
        {
          "name": "x-content-security-policy",
          "value": "; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-ancestors 'none'; default-src 'self'; frame-src redash.io; img-src 'self' http: https: data:; object-src 'none'; font-src 'self' data:"
        },
        {
          "name": "referrer-policy",
          "value": "strict-origin-when-cross-origin"
        },
        {
          "name": "strict-transport-security",
          "value": "max-age=31536000"
        },
        {
          "name": "via",
          "value": "1.1 google"
        },
        {
          "name": "alt-svc",
          "value": "clear"
        },
        {
          "name": "X-Firefox-Spdy",
          "value": "h2"
        }
      ],
      "cookies": [],
      "content": {
        "mimeType": "text/html",
        "size": 141,
        "text": "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2 Final//EN\">\n<title>429 Too Many Requests</title>\n<h1>Too Many Requests</h1>\n<p>50 per 1 hour</p>\n"
      },
      "redirectURL": "https://sql.telemetry.mozilla.org/login?next=https%3A%2F%2Fsql.telemetry.mozilla.org%2Ffavicon.ico",
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: