Closed Bug 1711870 Opened 3 years ago Closed 3 years ago

policy WebsiteFilter is not applied after redirect

Categories

(Firefox :: Enterprise Policies, defect, P2)

Product:
Firefox
Component:
Enterprise Policies
Version:
Firefox 88
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
99 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- verified
firefox98 --- verified
firefox99 --- verified

People

(Reporter: mozsupport2019, Assigned: mkaply)

Details

Attachments

(4 files)

policies.json
204 bytes, application/json
Details
f8258cb9d7b2b9800a00fd0ff2d77dff.jpg
129.75 KB, image/jpeg
Details
policies.json
219 bytes, application/json
Details
Bug 1711870 - Use http-on-examine-response to block redirects in policy. r?dragana
48 bytes, text/x-phabricator-request
pascalc
: approval-mozilla-beta+
RyanVM
: approval-mozilla-esr91+
Details | Review

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0

Steps to reproduce:

use google image search. click on a result whose site is listed in policies.json WebsiteFilter Block list.

Actual results:

page is displayed.
only when navigating further or reloading or clicking in the address bar and pressing return, it is replaced by the "Blocked Page" page.

Expected results:

I should not be allowed to see the resulting page.
I assume that the check against the block list happens on the intermediate URL that google generated and which then redirects to the actual result page, and not again on the URL it is redirecting to. I have also seen this happen on other pages that redirect to a different site when only the redirect target matched the Block list.

The Bugbug bot thinks this bug should belong to the 'Firefox::Address Bar' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.

Component: Untriaged → Address Bar
Component: Address Bar → Enterprise Policies

I tried to reproduce this issue on Windows and Ubuntu but without success.

This is the code for the policies.json file I used:
{

"policies": {
"WebsiteFilter": {
"Block": ["://.pinterest.com/","://.facebook.com/","https://www.pinterest.com/","https://pl.pinterest.com"]
}
}
}

After copying the policies.json file in the distribution folder I would use Google image search for the attached photo to this bug, which is suppose to show some results from https://pl.pinterest.com lower on the page, after clicking that result it would instantly be blocked.

Karl can you please try a fresh profile and try to reproduce the issue again ? you can find the steps here:
https://support.mozilla.org/en-US/kb/profile-manager-create-and-remove-firefox-profiles?redirectlocale=en-US&redirectslug=Managing-profiles#w_starting-the-profile-manager

Also can you try using my policies.json file and just update the websites ? maybe its the policies.json file at fault.

Flags: needinfo?(mozsupport2019)
Attached file policies.json

So yeah, I think the issue is that you specified URLs instead of blobs.

As Rares pointed out, to block everything on pinterest, you need:

"*://*.pinterest.com/*"

as an entry.

I will close this issue as incomplete due to the lack of response from the reporter, I assume that was the issue, if not we can definitely reopen it.

Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Resolution: --- → INCOMPLETE

I just remembered this case and found a fairly simple setup that should be reproducible.

my /usr/lib/firefox/distribution/policies.json includes
{ "policies": {
"WebsiteFilter": {
"Block": [
"://.xxx/*",
...

I start a private browsing window (ctrl-shift-p) and go to google.com
safesearch off, search term "rule34 skirt" (without quotes), switch to image search
most of the results are in the domain rule34.xxx and you can pick any such image.
clicking on an image, the right about third of the result window shows the preview (google image search functionality).
clicking on the preview image (or on the text line below it or on the "visit" button at the right), a new tab opens with the result.
The link in the picture that opens the tab has the form https://www.google.com/url?sa=i&url=https%3A%2F%2Frule34.xxx%2Findex.php%3Fpage%3Dpost%26s%3Dview%26id%3D3587370&psig=AOvVaw3h505-Fapco5If0E9SMKST&ust=1643974106235000&source=images&cd=vfe&ved=0CAgQjRxqFwoTCIjk1_a24_UCFQAAAAAdAAAAABAK
The new tab's address bar shows the URL e.g. https://rule34.xxx/index.php?page=post&s=view&id=3587370 and the full content of the page is shown.
if I click on the address bar and press return (i.e. I go to that same page), or press ctrl-R, the content will be replaced by the "Blocked Page" message. This confirms that the page was meant to be blocked. However, the tab opened from google image search was not blocked. I believe this is due to the fact that the test for blocked page is done before the https://www.google.com... URL is replaced by the result page, and not again after. I am not sure how google does it, probably some javascript foo, but being able to circumvent the blocking that way is surely not intended.
Apologies if this test shows anything offensive. It was the clearest I could come up with.

Flags: needinfo?(mozsupport2019)

Hi @Mike after testing with the new steps from the reporter (Searching for rule34 skirt > Search images > Clicking one of the images > Visit Website) I was able to reproduce this issue as the reporter mentioned, I am seeing the Preview image and I can reach the Website, only after hitting Enter in the URL bar is the page getting blocked.

This is the Policy file I used :
{

"policies": {
"WebsiteFilter": {
"Block": ["://.pinterest.com/", "://.xxx/","://.facebook.com/","://.IHATETHESEGUYS.net/","https://www.pinterest.com/","https://pl.pinterest.com"]
}
}
}

I added the "://.xxx/*" part to my older policies.json file and I was able to reproduce this issue. Can you please take a look and let us know if we are missing something ?

Flags: needinfo?(mozilla)
Attached file policies.json

Attaching the New Policies.json file with the extra xxx code.

Reopening the issue since I was able to reproduce it with the Reporters latest steps.

Status: RESOLVED → REOPENED
status-firefox98: --- → affected
Ever confirmed: true
Resolution: INCOMPLETE → ---

Yep,I'll take a look

Flags: needinfo?(mozilla)

So the page being loaded in my test is:

https://www.google.com/url?sa=i&url=https%3a%2f%2frule34.xxx%2findex.php%3fpage%3dpost%26s%3dview%26id%3d3346841&psig=aovvaw2aojghzmrinmopc5wycpw8&ust=1643999556592000&source=images&cd=vfe&ved=0caoq3ykbahckewio_-helet1ahuaaaaahqaaaaaqaw

And Google is doing a 302 redirect.

But the 302 redirect is not coming through the nsIContentPolicy filter. I'm investigating.

Assignee: nobody → mozilla
Severity: -- → S2
Priority: -- → P2
Pushed by mozilla@kaply.com: https://hg.mozilla.org/integration/autoland/rev/562d9122c725 Use http-on-examine-response to block redirects in policy. r=dragana

https://hg.mozilla.org/mozilla-central/rev/562d9122c725

Status: REOPENED → RESOLVED
Closed: 3 years ago3 years ago
status-firefox99: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 99 Branch

The patch landed in nightly and beta is affected.
:mkaply, is this bug important enough to require an uplift?
If not please set status_beta to wontfix.

For more information, please visit auto_nag documentation.

Flags: needinfo?(mozilla)

This issue is Verified as fixed in our latest Firefox Nightly build 99.0a1 (2022-02-14).
When I click the Website or the pictures, its automatically blocked.

Comment on attachment 9262382 [details]
Bug 1711870 - Use http-on-examine-response to block redirects in policy. r?dragana

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: Policy only.
  • User impact if declined: User is able to view blocked pages that are 301/302 redirects.
  • Fix Landed on Version: 99
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Policy only, automated test

Beta/Release Uplift Approval Request

  • User impact if declined: User is able to view blocked pages that are 301/302 redirects.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Policy only.
  • String changes made/needed:
Flags: needinfo?(mozilla)
Attachment #9262382 - Flags: approval-mozilla-release?
Attachment #9262382 - Flags: approval-mozilla-esr91?
Attachment #9262382 - Flags: approval-mozilla-release? → approval-mozilla-beta?

Comment on attachment 9262382 [details]
Bug 1711870 - Use http-on-examine-response to block redirects in policy. r?dragana

Approved for 98 beta 6, thanks.

Attachment #9262382 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

This issue is Verified as fixed in our latest beta build 98.0b6.

Status: RESOLVED → VERIFIED
status-firefox98: fixedverified

Comment on attachment 9262382 [details]
Bug 1711870 - Use http-on-examine-response to block redirects in policy. r?dragana

Approved for 91.7esr.

Attachment #9262382 - Flags: approval-mozilla-esr91? → approval-mozilla-esr91+

Verified as Fixed in our latest 91.7.0esr build. Build ID: 20220217154744

status-firefox-esr91: fixedverified
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: