Trying to log in from https://meine.santander.de/nosignature/ with https-only-mode is incorrectly detected as a redirect loop
Categories
(Core :: DOM: Security, defect, P3)
Tracking
()
People
(Reporter: zitrobugs, Unassigned)
References
(Blocks 1 open bug, )
Details
(Whiteboard: [domsecurity-backlog])
Steps to reproduce
- Go to settings and ctivate https-only-mode in all windows
- Go to https://meine.santander.de/nosignature/
- Klick on Button "NEU EINLOGGEN" -> You will be automatically redirected to http://meine.santander.de/login/ but with warning "Secure connection not available"
- If you reload this page you will be redirect correct to https://meine.santander.de/login/#/login/
Updated•3 years ago
|
Reporter | ||
Comment 1•3 years ago
|
||
On Firefox 90 (release) all was working perfect. Since Firefox 91 it is defekt.
Comment 2•3 years ago
|
||
Confirming. Still broken on nightly.
Comment 3•3 years ago
|
||
I'm not sure Firefox behavior is wrong. The site does a bunch of redirecting (mostly 301, some 302), eventually redirecting from https://meine.santander.de/login/?errorCode=50900071 // signature failed
to http://meine.santander.de/login/ -- at which point our networking library returns an error NS_ERROR_REDIRECT_LOOP. When we see that we put up the interstitial because it looks like we can't load the upgraded URL.
At this point if you click the "continue to http site" button OR if you "reload this page" manually (step 4 above) you're doing the same thing, loading http://meine.santander.de/login/ (insecure). We do add a temporary exception when you use the button but that doesn't come into play in this case.
For reloading we take http://meine.santander.de/login/ (note: not the original URL) and upgrade to https://. Ona truly broken site you'd be stuck again, but this site isn't actually broken so it works. It appeared broken on the original URL because of all the redirects it did trying to get that signature stuff.
When you click the continue button we first create a temporary exception ("don't upgrade http://meine.santander.de") and then load the insecure URL with no upgrade. But on this site when you load the insecure URL the site itself redirects to the secure form! So you end up in the same place. It would have worked fine after just one more redirect if we hadn't gotten NS_ERROR_REDIRECT_LOOP.
- site specific problem: edge-case, not a fundamental flaw in https-only
- Is this a bug in networking code's redirect loop detection, or is this just an extreme site?
- would it help if we ignored NS_ERROR_REDIRECT_LOOP one time, did the upgrade, and tried again? Who knows what that would do on other sites though. Might even break -this- site if the signature redirecting stuff had worked instead of returning that site error param: picking up by loading the intermediate URL in a new request might have missing context.
Ultimately this site works fine as it is. If you open the site with no path you're redirected to the login form directly. If you go through that /nosignature url (where does that come from?) you get the annoyance of an unnecessary error interstitial, but it does work just fine.
Updated•3 years ago
|
Updated•3 years ago
|
Ultimately this site works fine as it is.
Not really... the bank tells me to log in via https://meine.santander.de/olb (and there are links to that in various places), and that URL shows the same "redirect loop" behavior as the OP. So this will affect users, they will probably think either Firefox or the Website is broken.
Comment 5•7 months ago
|
||
I can not reproduce this anymore, I suspect it has been fixed on the server-side by now.
Description
•