1665794 - Endless redirect on login.oracle.com with network.cookie.sameSite.schemeful enabled

Status: RESOLVED WONTFIX

(Core :: Networking: Cookies, defect, P2)

Description

[Ksenia Berezina [:ksenia] on leave until 09/15]

Attachment: 93085798-cd6d9d00-f69e-11ea-98ff-fc43bff2bfa9.png

Originally reported in https://github.com/webcompat/web-bugs/issues/58231

STR:

1. Create an account on https://login.oracle.com/mysso/signon.jsp
2. Visit https://login.oracle.com/oam/server/obrareq.cgi?encquery%3DLqo6eTzRJO2OA3mMSw9KFFsCOApRRw7pKJtbO4%2BkcdPY9oMQcwZmNsOJCQKHvGf5zmeoAEerLvhXybDAhHmB7zBnGBQQGPiXZ8%2B0oeoSKnaj17wQH326ZWY%2FEVZ%2FTIqSiGRNuZtvrv2%2F2NaI%2F7ILcSaRZeaqPYV9xoj%2Bx2j9yQaiJZEOeA%2FNcW6LQKGZzDC7A0uBAljNL4o1kmo8xo1gcsYZSGERyysCqsm9iiFkAJbdqHqhXkAMV3nkHk0EkomV0wqqnJrxYHPzY0qjpFaG7g7gWjmw9LK%2B2owxZshHglwBZPom3S%2FAK%2BJ8D4EUey%2BOKZNgVQwGKvoeTGeLU36NGEiSU%2BL25HPT1lkHLMwp%2FG5gtc1Cki9A8iIF7%2F8ggWMs%2FILlyvbYu9%2BcNTajK1qlpuRRTWNgFmj%2Fwvi4k5NYxrmEPMnM3JTf93Uz7FKCp1CyUzEeS6T%2BGOJYEruw%2BVC2GKS%2F06vfJdC75ZHTQb2GLggZ0a4xiWCAgGhWA8MHOU7JbCc6NG1X6YnCaum6Ry0sDz%2F4v6FKZazliXf4B7L8p9J6RFoXEfRBSP8tauSPVc6CMlWwBBCMNlg4ITjoS6TDPbKZkLErQRz2w1wDaQ3kzQZtbGV02iGAISGBXhlvpCa4yyxIi%2F8Qu3hhzUmvslCww1C7fYVqh11WdfKSKF%2FY4DnkwXQmMNolnZJd2i1o0Alo%20agentid%3Dwww.oracle.com%20ver%3D1%20crmethod%3D2&ECID-Context=1.005foJH6huYFo2KimT4ykJ0007to0031ac%3BkXjE
3. Sign in with your login credentials and observe the page

Expected:
The site redirects to an error page

Actual:
Endless redirect and "The page isn’t redirecting properly" message is displayed

From mozregression:

23:25.24 INFO: Last good revision: e6d1fb1401f00bb5159b87a92d60268fb786026d
23:25.24 INFO: First bad revision: 57d24342399d658f0456a92aab3b75b57ac75b41
23:25.24 INFO: Pushlog:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=e6d1fb1401f00bb5159b87a92d60268fb786026d&tochange=57d24342399d658f0456a92aab3b75b57ac75b41

Comment 1

[Ksenia Berezina [:ksenia] on leave until 09/15]

Attachment: Screen Shot 2020-09-17 at 6.56.56 PM.png

From the network request logs I could tell that there is an attempt to download a file https://download.oracle.com/otn/java/jdk/8u261-b12/a4634525489241b9a9e1aa73d9e118e6/jdk-8u261-windows-x64.exe. There are multiple redirects from http to https, so perhaps there is a missing cookie caused by the Schemeful Same-Site , which results in redirect loop.

Andrea, would you be able to take a look? Wonder if we should contact Oracle to see if they can get this fixed?

Comment 2

[Andrea Marchesini [:baku]]

Yes, we should contact oracle to fix their cookies. Peter, are you in contact with them?

Comment 3

[jwms]

unable to load https://www.jumio.com/ if network.cookie.sameSite.schemeful is set to true

Comment 4

[Mike Taylor [:miketaylr]]

(In reply to jwms from comment #3)

unable to load https://www.jumio.com/ if network.cookie.sameSite.schemeful is set to true

Could you please file a new bug for this? A screenshot would be helpful too.

Comment 5

[Mike Taylor [:miketaylr]]

Unfortunately this doesn't seem to reproduce in Chrome with Schemeful SameSite enabled, and the bug doesn't go away if I spoof as Chrome in Firefox Nightly :(.

Comment 6

[Peter Saint-Andre [:stpeter]]

I've followed up with a contact at Oracle about this and will report back.

Comment 7

[Peter Saint-Andre [:stpeter]]

I heard back from someone at Oracle, who suggests that the problem lies in Step 2 of the original poster's bug report: the user is attempting to go to a bookmarked URL instead of attempting to directly log into the desired property (in this case www.oracle.com).

Comment 8

[Niklas]

I can't reproduce this. Going to https://login.oracle.com/mysso/signon.jsp now shows an error: "Error! Do not use bookmarked URL. Please type the URL you are trying to reach directly into your browser.".

Comment 9

[Manuel Bucher [:manuel] {{ fyi: PTO Jul 26 - Aug 17 }}]

We won't be shipping samesitelax by default, so all of this breakage bug can be closed: Bug 1617609