Don't consider it's a upgrade downgrade loop if the uri path is different
Categories
(Core :: Networking, defect, P1)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr78 | --- | unaffected |
firefox-esr91 | --- | wontfix |
firefox91 | --- | wontfix |
firefox92 | --- | wontfix |
firefox93 | --- | verified |
People
(Reporter: Fanolian+BMO, Assigned: kershaw)
References
(Regression, )
Details
(Keywords: nightly-community, regression, reproducible, Whiteboard: [necko-triaged])
Attachments
(2 files)
+++ This bug was initially created as a clone of Bug #1725026 +++
The issue below is similar to bug 1725026 but that does not fix my issue.
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0
Build ID: 20210814094200
Steps to reproduce
- Enable HTTPS-Only Mode in all windows. Make sure
dom.security.https_only_mode_break_upgrade_downgrade_endless_loop
is true. - Open https://www.hkepc.com/ (a Chinese tech forum)
- Click on 討論區, which locates at the end of the top bar which writes "主頁 專題報導 新聞中心 新品快遞 超頻領域 流動數碼 生活娛樂 會員消息 討論區". (See the attached screenshot if you cannot find it.)
Actual result
HTTPS-Only Mode Alert is triggered. Clicking Continue to HTTP Site
will load https://www.hkepc.com/forum/.
Expected result
No alert is triggered.
Notes
- The link at 討論區 points to https://www.hkepc.com/forum but the final destination is https://www.hkepc.com/forum/ (with a trailing slash).
- Left/Middle/Right click at the link ->
Open Link in New YYY
all trigger the alert. - Unlike bug 1725026 comment 2, copying https://www.hkepc.com/forum -> open a blank new tab -> paste link will also trigger the alert.
Workarounds
- Set
dom.security.https_only_mode_break_upgrade_downgrade_endless_loop
tofalse
. Or - Disable HTTPS-Only Mode. (it will still reach https://www.hkepc.com/forum/.)
Regression
Same with bug 1725026, this is regressed by bug 1716069.
Assignee | ||
Comment 1•3 years ago
•
|
||
A short summary for this issue:
-
The case in bug 1725026: The load is triggered by user gesture and we do HTTPS upgrade because of HTTPS-only mode.
I think the patch in bug 1725026 is reasonable, since we do user gesture check for the first load. -
The case in this bug: A link points to
https://www.hkepc.com/forum
and the server returns a301
with locationhttp://www.hkepc.com/forum/
.
This is not a upgrade and downgrade loop, since the uri path is actually different. The problem here is that we only check host name innsHTTPSOnlyUtils::IsUpgradeDowngradeEndlessLoop
. To fix this, I think we should also check the path here. -
The case in bug 1716069: this is actually an upgrade and downgrade loop.
If we revert the changes in bug 1716069,nsHTTPSOnlyUtils::IsUpgradeDowngradeEndlessLoop
will return false and we'll reach redirection limit (NS_ERROR_REDIRECT_LOOP
)in the end. Note that not just HTTPS RR leads toNS_ERROR_REDIRECT_LOOP
, but also HTTPS-only mode.
Assignee | ||
Comment 2•3 years ago
|
||
The previous comment was edited, since I think the root cause of this bug is that we only check if the host
in identical in nsHTTPSOnlyUtils::IsUpgradeDowngradeEndlessLoop
. When a page/server wants to redirect a uri with a different path, it should not be a upgrade and a downgrade loop.
Assignee | ||
Comment 3•3 years ago
|
||
Assignee | ||
Updated•3 years ago
|
Updated•3 years ago
|
Pushed by kjang@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/033420d6bd56 Also check if the uri path is the same when doing upgrade and downgrade loop check, r=ckerschb
Comment 5•3 years ago
|
||
bugherder |
Comment 6•3 years ago
|
||
The patch landed in nightly and beta is affected.
:kershaw, is this bug important enough to require an uplift?
If not please set status_beta
to wontfix
.
For more information, please visit auto_nag documentation.
Assignee | ||
Comment 7•3 years ago
|
||
I think we can let it ride the train. Thanks.
Updated•3 years ago
|
Updated•3 years ago
|
Comment 8•3 years ago
|
||
I was able to reproduce this bug by using the steps from comment 0, on an affected Nightly build (2021-08-14).
The issue is verified as fixed on latest Beta 93.0b7, across platforms: Win 10 x64, macOS 11 and Ubuntu 18.04 x64.
Description
•