HTTPS-First endless loop with http redirection (web compat issue)
Categories
(Core :: DOM: Security, defect, P3)
Tracking
()
People
(Reporter: t.yavor, Unassigned)
References
(Depends on 1 open bug, Blocks 1 open bug, Regression, )
Details
(Keywords: regression, Whiteboard: [domsecurity-active])
Attachments
(2 files, 1 obsolete file)
STR:
- enabled https-first
- visist www.bom.gov.au
- redirects to http://www.bom.gov.au/akamai/https-redirect.html
expected Result:
redirects to http://www.bom.gov.au
current Result:
Endless loop, displayed page stays http://www.bom.gov.au/akamai/https-redirect.html
Reporter | ||
Comment 1•3 years ago
|
||
Updated•3 years ago
|
This affects private windows in 91+ where HTTPS-First is default enabled (Bug 1716991) and can be worked around by changing dom.security.https_first_pbm = false
. It does not occur with HTTPS-Only enabled.
Updated•3 years ago
|
Reporter | ||
Comment 3•3 years ago
|
||
Updated•3 years ago
|
Updated•3 years ago
|
Comment 5•3 years ago
|
||
Freddy, could we get that patch reviewed and potentially landed before the merge to avoid an uplift in beta? Thanks!
Pushed by fbraun@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/6d9cbb7202ec HTTPS-First endless loop with http redirection. r=freddyb
Comment 8•3 years ago
|
||
Backed out for causing mochitest failures on test_resource_upgrade.html
Backout link
Push with failures
Failure Log
Comment 10•3 years ago
|
||
Pushed by fbraun@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/d70451b36f3f HTTPS-First endless loop with http redirection. r=freddyb
Comment 11•3 years ago
|
||
bugherder |
Comment 12•3 years ago
|
||
I can still reproduce this on latest Nightly 93.0a1 (2021-09-03).
Updated•3 years ago
|
Updated•3 years ago
|
Updated•3 years ago
|
Reporter | ||
Comment 14•3 years ago
|
||
Reporter | ||
Comment 15•3 years ago
|
||
Ryan could you back out the landed patch for that bug, please.
There might be a better approach to fix that bug than the one I used.
Reporter | ||
Updated•3 years ago
|
Updated•3 years ago
|
Comment 16•3 years ago
|
||
Backed out changeset d70451b36f3f (Bug 1725646) as per developer's request. CLOSED TREE
Backout link : https://hg.mozilla.org/integration/autoland/rev/1cc49aff2f59dd1458d947d0bd7ef830b19cfe77
Updated•3 years ago
|
Reporter | ||
Comment 17•3 years ago
|
||
Thank you!
Comment 18•3 years ago
|
||
Tomer, this is marked as P1/S2, are you planning a fix and an uplift in 93? Thanks
Reporter | ||
Comment 19•3 years ago
|
||
I have to investigate further to see if there is a way to fix the bug without weaken https-first.
So I wouldn't plan to fix it in 93.
Updated•3 years ago
|
Comment 20•3 years ago
|
||
So, I've looked into this a bit and I currently don't have a good solution for this.
I think we could:
- Don't check uri path for https-first mode.
This is a workaround that fixes this bug and bug 1725800 will not be affected. However, this is a bit hacky and this makes the behavior of https-first and https-only inconsistent. - Introduce an excluded list for https-first mode and still checking uri path for https-first and https-only.
The excluded list will contain the host names that failed to do https upgrade. Before doing https upgrade because of https-first, this excluded list will be checked. If a host is excluded, we don't try to do https upgrade for this host. Using the case in this bug as en example, trying to upgradehttp://www.bom.gov.au
ends withhttp://www.bom.gov.au/akamai/https-redirect.html
, so we consider the hostwww.bom.gov.au
is failed to upgraded tohttps
and we put it to the excluded list.
I think option 2 should be better, but I am not sure if it is easy to implement.
What do you think?
Reporter | ||
Comment 21•3 years ago
|
||
Thank you for looking into it.
I would also prefer not to use option 1.
Option 2 sounds good for me. I will try to implement it that way.
Thank you very much!
Comment 22•3 years ago
|
||
Thanks Kershaw for looking into this problem, though I don't think that (2) is a valid option - maintaining a list is cumbersome and puts a lot of maintenance burden on us.
Even though the inconsistency between https-first and https-only is not ideal, I think (1) is the better option here. Hopefully we can factor out those changes so we are very explicit that https-first does not check the uri path.
Updated•3 years ago
|
Updated•3 years ago
|
Updated•3 years ago
|
Reporter | ||
Comment 23•3 years ago
•
|
||
Description of bug:
- Enable https-first
- Visit http://bom.gov.au , → https-first upgrades it to https
- https:/www.bom.gov.au sends normal redirect(307) to http://www.bom.gov.au/something
- Https-first tries to upgrade redirect to https
- http://www.bom.gov.au/something is not supporting https, so no upgrade → http
- http://www.bom.gov.au/something js redirects to http://www.bom.gov.au,
- Redirection from http → https is defined as not an endless loop : https://searchfox.org/mozilla-central/source/dom/security/nsHTTPSOnlyUtils.cpp#326-329
- We go back to step 2.
Comment 24•3 years ago
|
||
The http redirect:
HTTP/1.1 307 Temporary Redirect
Server: AkamaiGHost
Content-Length: 0
Location: http://www.bom.gov.au/akamai/https-redirect.html
Date: Mon, 04 Oct 2021 21:14:46 GMT
Connection: keep-alive
Server-Timing: cdn-cache; desc=HIT, edge; dur=1
with the message
The Bureau of Meteorology website does not currently support connections via HTTPS.
then the JS redirect.
<script language="Javascript">
var home_page = 'http://' + location.hostname;
var timerId;
function start()
{
timerId = setTimeout('load_page()', 10000);
}
function load_page()
{
clearTimeout(timerId);
window.location.replace(home_page);
}
</script>
So the questions are often
- how do we contact them?
- what would we like they modify in their code logic?
They have a feedback form, but these are usually not very good to do outreach
http://www.bom.gov.au/other/feedback/
Let's search on github
https://github.com/search?q=Australia++Bureau+of+Meteorology&type=users
https://github.com/vlouf
Here there is someone with an email address we could reach out and ask them if they could put us in contact with people managing the website of Australia BOM
and looking at the social network of vlouf, we can find.
- https://github.com/joshua-wx who has an email address in https://www.joshuasoderholm.com/
https://github.com/bureauofmeteorology
has no meaningful activity to hook on.
So I would send an email to these two persons and ask them if they could put Mozilla in contact with the Website maintainers.
Updated•3 years ago
|
Comment 25•3 years ago
|
||
This turns out to be a web-compat bug and I'll try to reach out to them. Not a regression we need to fix.
Updated•3 years ago
|
Updated•3 years ago
|
Updated•3 years ago
|
Updated•2 years ago
|
Updated•2 years ago
|
Updated•2 years ago
|
Comment 28•2 years ago
|
||
The severity field for this bug is relatively low, S4. However, the bug has 3 duplicates.
:lyavor, could you consider increasing the bug severity?
For more information, please visit auto_nag documentation.
Reporter | ||
Updated•2 years ago
|
Updated•9 months ago
|
Description
•