Closed Bug 1629441 Opened 5 years ago Closed 5 years ago

Cross-process POST requests degrade to GET requests when they open new windows

Categories

(Core :: DOM: Navigation, defect, P1)

Product:
Core
Component:
DOM: Navigation
Version:
75 Branch
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla77
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox75 + wontfix
firefox76 + fixed
firefox77 + fixed

People

(Reporter: eduardo.philippi, Assigned: pbone)

References

(Regression)

Details

(Keywords: regression)

Attachments

(3 files)

Post_in_firefox_(j_spring_security_check).png
656.69 KB, image/png
Details
Testcase
254 bytes, text/html
Details
Bug 1629441 - Defer to DocumentChannel in shouldLoadURLInThisProcess r=kmag
47 bytes, text/x-phabricator-request
RyanVM
: approval-mozilla-beta+
Details | Review

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0

Steps to reproduce:

Authenticate user using a POST request with "j_spring_security_check", https://help.pentaho.com/Documentation/8.2/Developer_Center/REST_API

Actual results:

Authenticate using a POST request with "j_spring_security_check" fails in Firefox, before the last update of Firefox was working

Expected results:

Authenticate the user

Thank you for your detailed bug report.

The problem seems to be that trying to POST a form in an HTML file loaded via file:// to a server using an http:// scheme. Instead of using POST it uses GET. I created a simple testcase to reproduce this locally and arrived at bug 1603006.

If possible you could also host log_in.html on a server and it should work.

Flags: needinfo?(pbone)
Keywords: regression
Regressed by: 1603006
Has Regression Range: --- → yes
Flags: needinfo?(kmaglione+bmo)
Component: Untriaged → DOM: Navigation
Flags: needinfo?(kmaglione+bmo)
Product: Firefox → Core
Summary: Send a POST request with "j_spring_security_check" fails on Firefox → Cross-process file: to http: POST requests fail
Summary: Cross-process file: to http: POST requests fail → Cross-process POST requests degrade to GET requests when they open new windows
Attached file Testcase

Test needs to be loaded via file://. Tries to submit the form to http://httpbin.org/post, which will fail for GET requests.

Paul, it looks like the problem is that, while we always use DocumentChannel for cross-process loads in existing docshells, because of this:

https://searchfox.org/mozilla-central/rev/2cd2d511c0d94a34fb7fa3b746f54170ee759e35/toolkit/modules/E10SUtils.jsm#893-903

We don't have a similar check for loads that are retargeted to open new windows, which hit this path:

https://searchfox.org/mozilla-central/rev/2cd2d511c0d94a34fb7fa3b746f54170ee759e35/toolkit/modules/E10SUtils.jsm#842-853
https://searchfox.org/mozilla-central/rev/2cd2d511c0d94a34fb7fa3b746f54170ee759e35/dom/ipc/ContentChild.cpp#901-918

And then throw away the LoadInfo with the post data when they trigger the load:

https://searchfox.org/mozilla-central/rev/2cd2d511c0d94a34fb7fa3b746f54170ee759e35/dom/ipc/ContentChild.cpp#944-947

Assignee: nobody → pbone

Thanks. Looking/testing now.

Flags: needinfo?(pbone)

Hi kmag/evilpie

I cannot easilly see the screen shot (would have to enhance it in an image editor etc). Is there anything important I need to understand in the screenshot but not captured elsewhere?

Thanks.

Flags: needinfo?(kmaglione+bmo)
Flags: needinfo?(evilpies)

No, I don't think you are missing any important information.

Flags: needinfo?(evilpies)

Thanks.

Flags: needinfo?(kmaglione+bmo)
Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE

Sorry! I do wonder if it would be better to revert bug 1603006 for now.

Status: RESOLVED → REOPENED
Ever confirmed: true
Resolution: DUPLICATE → ---

(In reply to Tom Schuster [:evilpie] from comment #10)

Sorry! I do wonder if it would be better to revert bug 1603006 for now.

I have a fix now. I'll post it for review & try shortly. What I'm unsure of is whether we uplift it. and what that looks like for release. I'm unfamiliar with our process for that.

status-firefox75: --- → affected
status-firefox76: --- → affected
status-firefox77: --- → affected
OS: Unspecified → All
Priority: -- → P1
Hardware: Unspecified → All

Hi Julien,

I heard you were the person I need to speak to regarding advice about uplifting my change (once it's reviewed and gets through try/landing!).

This is a regression that made it onto our release channel before we noticed. How is it decided what to do WRT uplifting to release and who decides?

I have a second regression on release Bug 1630757, which was has the same regression cause. Maybe we backout that change on release while uplifting on beta?

Because Evilpie was talking about backout I'm going to NI him also, in case he knows something about these procedures.

Thanks.

Flags: needinfo?(jcristau)
Flags: needinfo?(evilpies)
See Also: → 1630757

[Tracking Requested - why for this release]: I don't know if this should uplift onto release. I have a feeling it should for beta.

tracking-firefox75: --- → ?
tracking-firefox76: --- → ?

Resetting severity to default of --.

I doubt that we will uplift this to release, but I will defer to other people.

Flags: needinfo?(evilpies)
Pushed by pbone@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/ebea9991db0e Defer to DocumentChannel in shouldLoadURLInThisProcess r=kmag

Backed out changeset ebea9991db0e for causing lint failures in browser_form_post_from_file_to_http.js

Backout link: https://hg.mozilla.org/integration/autoland/rev/e001cc8bb74f0fc4ffa5c40f72fee6d02f4f8c88

Failure log: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=298341490&repo=autoland&lineNumber=318

[task 2020-04-20T05:10:38.272Z] TEST-UNEXPECTED-ERROR | /builds/worker/checkouts/gecko/dom/html/test/browser_form_post_from_file_to_http.js:114:62 | 'binContentType' is already declared in the upper scope. (no-shadow)
Flags: needinfo?(pbone)

Thanks fixing.

Flags: needinfo?(pbone)
Pushed by pbone@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/711080298194 Defer to DocumentChannel in shouldLoadURLInThisProcess r=kmag
tracking-firefox76: ?+
Flags: needinfo?(jcristau)

https://hg.mozilla.org/mozilla-central/rev/711080298194

Status: REOPENED → RESOLVED
Closed: 5 years ago5 years ago
status-firefox77: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla77

Comment on attachment 9141266 [details]
Bug 1629441 - Defer to DocumentChannel in shouldLoadURLInThisProcess r=kmag

Beta/Release Uplift Approval Request

  • User impact if declined: Form posts from a file:// URL to a http:// URL with target="_blank" do not work, and maybe other file:// -> http:// situations where HTTP POST is replaced with HTTP GET.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): The diff is small and the condition it adds is already used on a different code path.
  • String changes made/needed: There are no string changes
Attachment #9141266 - Flags: approval-mozilla-beta?

Form posts from a file:// URL to a http:// URL with target="_blank" do not work, and maybe other file:// -> http:// situations where HTTP POST is replaced with HTTP GET.

It also impact http:// to http:// POST if under a checkLoadUri "allAccess" policy

Comment on attachment 9141266 [details]
Bug 1629441 - Defer to DocumentChannel in shouldLoadURLInThisProcess r=kmag

Fixes a commonly-reported regression in Fx75 and includes new automated tests. Approved for 76.0b8.

Attachment #9141266 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

Should the fix uplifted to release too?

76 is in RC and ships next week.

Depends on: 1634779
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: