1628305 - Clicking a link that triggers a banner inside an iframe does not work

Status: VERIFIED FIXED

(Toolkit :: Safe Browsing, defect, P2)

Description

[Cristian Baica [:cbaica], Release Desktop QA]

Affected versions

• Fx76.0b2
• Fx75.0 RC

Affected platforms

• Windows 10
• macOS
• Ubuntu

Preconditions

• Create a html file containing the following:

<html>
<body>
<iframe src="https://testsafebrowsing.appspot.com/s/phishing.html" height="800" width="400"></iframe>
<iframe src="https://itisatrap.org/firefox/its-a-trap.html" height="800" width="400"></iframe>
</body>
</html>

Steps to reproduce

1. Launch Firefox.
2. Navigate to about:config and set security.mixed_content.block_active_content to false.
3. Open the saved .html file in Firefox.
4. In the left iFrame, click the 'see details' button and then the 'ignore the risk' link.

Expected result

• A red banner containing two options is displayed on the page.

Actual result

• Nothing happens.

Regression range

• Will come back with a regression range ASAP

Comment 1

[BugBot [:suhaib / :marco/ :calixte]]

The priority flag is not set for this bug.
:dimi, could you have a look please?

For more information, please visit auto_nag documentation.

Comment 2

[Dimi Lee [:dimi]]

keep the needinfo because i need to do some tests

Comment 3

[Marcela (Please NI request to Brindusa Tot)]

This issue ia reproducible on latest Nightly 78.0a1 Build ID 20200511094328 on macOS 10-14. Change flags accordingly.

Comment 4

[Firefox Bug Husbandry Bot]

Because this bug's Severity has not been changed from the default since it was filed, and it's Priority is P3 (Backlog,) indicating it has been triaged, the bug's Severity is being updated to S3 (normal.)

Comment 5

[Dimi Lee [:dimi]]

hi Cristian,
I want to confirm that only happens when opening with a local file right?
Also, could you help check if step2 is necessary? because I tested in my platform, and I can reproduce this without step2. thanks!

Comment 6

[Cristian Baica [:cbaica], Release Desktop QA]

Hi Dimi,
I'm not entirely sure of the outcome you're expecting here. If both links that are included in the .html file are opened separately in Firefox and the 'ignore the risk' hyperlinked text is clicked, the user is correctly taken to the corresponding addresses.
I'm not sure if step 2 is necessary or not. These are all the steps that were written for a specific safe browsing test we have.

Comment 7

[Marcela (Please NI request to Brindusa Tot)]

This issue is reproducible on latest Nightly 79.0a1 (2020-06-09) (32-bit) on Windows 10. Change flags accordingly.

Comment 8

[Cristian Baica [:cbaica], Release Desktop QA]

I have looked into the issue trying to find a regression.
The last good build: 2018-01-11
The first bad build: 2018-01-12
The resulting changeset: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=8142a68bf0a7b44c2502888ba6b2a930edf428fd&tochange=f5b4481c9fd50becb35cef02b599198b766fb1bb

Unfortunately nothing stands out to me from the list. Dimi, can you have a look?

Comment 9

[Dimi Lee [:dimi]]

Attachment: Bug 1628305 - Fallback to use host or spec when failing to get base domain in SafeBrowsingNotificationBox

Comment 10

[Pulsebot]

Pushed by dlee@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/08a459f74e52
Fallback to use host or spec when failing to get base domain in SafeBrowsingNotificationBox r=Gijs

Comment 11

[Andreea Pavel [:apavel]]

https://hg.mozilla.org/mozilla-central/rev/08a459f74e52

Comment 12

[Cristian Baica [:cbaica], Release Desktop QA]

The issue is verified fixed using Fx81.0b1 and Fx82.0a1 on ubuntu 18.04 and windows 10. The warning banner is correctly displayed when clicking the 'ignore the risk' link from the iframes.