Open Bug 1725646 Opened 4 months ago Updated 3 days ago

HTTPS-First endless loop with http redirection (web compat issue)

Categories

(Core :: DOM: Security, defect, P3)

defect

Tracking

()

ASSIGNED
Tracking Status
firefox-esr78 --- unaffected
firefox-esr91 --- wontfix
firefox91 --- wontfix
firefox92 --- wontfix
firefox93 - wontfix
firefox94 - wontfix

People

(Reporter: lyavor, Assigned: lyavor)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression, Whiteboard: [domsecurity-active])

Attachments

(2 files, 1 obsolete file)

STR:

  1. enabled https-first
  2. visist www.bom.gov.au
  3. redirects to http://www.bom.gov.au/akamai/https-redirect.html

expected Result:
redirects to http://www.bom.gov.au

current Result:
Endless loop, displayed page stays http://www.bom.gov.au/akamai/https-redirect.html

Assignee: nobody → lyavor
Severity: -- → S2
Status: NEW → ASSIGNED
Priority: -- → P1
Whiteboard: [domsecurity-active]

This affects private windows in 91+ where HTTPS-First is default enabled (Bug 1716991) and can be worked around by changing dom.security.https_first_pbm = false. It does not occur with HTTPS-Only enabled.

Regressed by: 1716991
No longer regressions: 1716991
Duplicate of this bug: 1727419

Freddy, could we get that patch reviewed and potentially landed before the merge to avoid an uplift in beta? Thanks!

Flags: needinfo?(fbraun)

My bad. Reviewed and pushed to central.

Flags: needinfo?(fbraun)
Pushed by fbraun@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/6d9cbb7202ec
HTTPS-First endless loop with http redirection. r=freddyb

Backed out for causing mochitest failures on test_resource_upgrade.html
Backout link
Push with failures
Failure Log

Flags: needinfo?(lyavor)

On it

Flags: needinfo?(lyavor)
Pushed by fbraun@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/d70451b36f3f
HTTPS-First endless loop with http redirection. r=freddyb
Status: ASSIGNED → RESOLVED
Closed: 3 months ago
Resolution: --- → FIXED
Target Milestone: --- → 93 Branch

I can still reproduce this on latest Nightly 93.0a1 (2021-09-03).

Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Flags: needinfo?(lyavor)
Status: REOPENED → ASSIGNED
Target Milestone: 93 Branch → ---

Thank you for pointing out.
I am on it!

Flags: needinfo?(lyavor)

Ryan could you back out the landed patch for that bug, please.
There might be a better approach to fix that bug than the one I used.

Flags: needinfo?(ryanvm)
Flags: needinfo?(ryanvm) → needinfo?(sheriffs)

Backed out changeset d70451b36f3f (Bug 1725646) as per developer's request. CLOSED TREE
Backout link : https://hg.mozilla.org/integration/autoland/rev/1cc49aff2f59dd1458d947d0bd7ef830b19cfe77

Thank you!

Tomer, this is marked as P1/S2, are you planning a fix and an uplift in 93? Thanks

Flags: needinfo?(lyavor)

I have to investigate further to see if there is a way to fix the bug without weaken https-first.
So I wouldn't plan to fix it in 93.

Flags: needinfo?(lyavor)

So, I've looked into this a bit and I currently don't have a good solution for this.
I think we could:

  1. Don't check uri path for https-first mode.
    This is a workaround that fixes this bug and bug 1725800 will not be affected. However, this is a bit hacky and this makes the behavior of https-first and https-only inconsistent.
  2. Introduce an excluded list for https-first mode and still checking uri path for https-first and https-only.
    The excluded list will contain the host names that failed to do https upgrade. Before doing https upgrade because of https-first, this excluded list will be checked. If a host is excluded, we don't try to do https upgrade for this host. Using the case in this bug as en example, trying to upgrade http://www.bom.gov.au ends with http://www.bom.gov.au/akamai/https-redirect.html, so we consider the host www.bom.gov.au is failed to upgraded to https and we put it to the excluded list.

I think option 2 should be better, but I am not sure if it is easy to implement.
What do you think?

Flags: needinfo?(lyavor)
Flags: needinfo?(ckerschb)

Thank you for looking into it.

I would also prefer not to use option 1.

Option 2 sounds good for me. I will try to implement it that way.

Thank you very much!

Flags: needinfo?(lyavor)

Thanks Kershaw for looking into this problem, though I don't think that (2) is a valid option - maintaining a list is cumbersome and puts a lot of maintenance burden on us.

Even though the inconsistency between https-first and https-only is not ideal, I think (1) is the better option here. Hopefully we can factor out those changes so we are very explicit that https-first does not check the uri path.

Flags: needinfo?(ckerschb)
Attachment #9242082 - Attachment description: Bug 1725646 - HTTPS-First endless loop with http redirection. r=ckerschb → WIP: Bug 1725646 -
Attachment #9242082 - Attachment description: WIP: Bug 1725646 - → Bug 1725646 - HTTPS-First endless loop with http redirection. r=ckerschb
Attachment #9237629 - Attachment is obsolete: true

Description of bug:

  1. Enable https-first
  2. Visit http://bom.gov.au , → https-first upgrades it to https
  3. https:/www.bom.gov.au sends normal redirect(307) to http://www.bom.gov.au/something
  4. Https-first tries to upgrade redirect to https
  5. http://www.bom.gov.au/something is not supporting https, so no upgrade → http
  6. http://www.bom.gov.au/something js redirects to http://www.bom.gov.au,
  7. Redirection from http → https is defined as not an endless loop : https://searchfox.org/mozilla-central/source/dom/security/nsHTTPSOnlyUtils.cpp#326-329
  8. We go back to step 2.

The http redirect:

HTTP/1.1 307 Temporary Redirect
Server: AkamaiGHost
Content-Length: 0
Location: http://www.bom.gov.au/akamai/https-redirect.html
Date: Mon, 04 Oct 2021 21:14:46 GMT
Connection: keep-alive
Server-Timing: cdn-cache; desc=HIT, edge; dur=1

with the message

The Bureau of Meteorology website does not currently support connections via HTTPS.

then the JS redirect.

    <script language="Javascript">
      var home_page = 'http://' + location.hostname;
      var timerId;
      function start()
      {
        timerId = setTimeout('load_page()', 10000);
      }
      function load_page()
      {
        clearTimeout(timerId);
        window.location.replace(home_page);
      }
    </script>

So the questions are often

  1. how do we contact them?
  2. what would we like they modify in their code logic?

They have a feedback form, but these are usually not very good to do outreach
http://www.bom.gov.au/other/feedback/

Let's search on github
https://github.com/search?q=Australia++Bureau+of+Meteorology&type=users

https://github.com/vlouf
Here there is someone with an email address we could reach out and ask them if they could put us in contact with people managing the website of Australia BOM

and looking at the social network of vlouf, we can find.

https://github.com/bureauofmeteorology
has no meaningful activity to hook on.

So I would send an email to these two persons and ask them if they could put Mozilla in contact with the Website maintainers.

Flags: needinfo?(ckerschb)

This turns out to be a web-compat bug and I'll try to reach out to them. Not a regression we need to fix.

Severity: S2 → S4
Type: defect → task
Flags: needinfo?(ckerschb)
Priority: P1 → P3
Duplicate of this bug: 1733022
Summary: HTTPS-First endless loop with http redirection → HTTPS-First endless loop with http redirection (web compat issue)
Type: defect → task
You need to log in before you can comment on or make changes to this bug.