Closed Bug 1769066 Opened 3 years ago Closed 3 years ago

Error in HTTPS-First, it is trying to update the HTTPS request

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Version:
Firefox 100
Type:
defect

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: u706465, Unassigned, NeedInfo)

References

(Blocks 1 open bug)

Details

Attachments

(2 files)

Errors in console
168.32 KB, image/jpeg
Details
request in network pane
191.56 KB, image/jpeg
Details
Attached image Errors in console

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.4 Safari/605.1.15

Steps to reproduce:

  1. Open the site http://pinzeria.ru/ in incognito mode
  2. Add items to cart
  3. Start Checkout
  4. Reach the moment of payment
  5. Click pay and see the payment system frame
  6. Open the console and see that Yandex Pay payment initialization failed because HTTPS-First turned the request into HTTP and then the browser blocked it for mixed content.

Actual results:

Yandex Pay payment initialization failed because HTTPS-First turned the request into HTTP and then the browser blocked it for mixed content.

If you tap refresh and repeat all steps again then suddenly everything will work as expected

Expected results:

No errors, successful initialization of the Yandex Pay button

Attached image request in network pane

The Bugbug bot thinks this bug should belong to the 'Core::DOM: Security' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → DOM: Security
Product: Firefox → Core

Https-FIRST is only supposed to update the top-level URL, which is not subject to the mixed-content-blocker. Your first picture shows it upgrading things that are then blocked, and the second picture shows those were loaded into an <iframe> ("subdocument"). insecure subdocuments definitely will get blocked by the mixed-content-blocker, but HTTPS-First should not be trying to upgrade those. This is not making a lot of sense

Separately from whatever is going on in Firefox, Trying to connect to cloudpay and pay.yandex.ru insecurely is a TERRIBLE idea. If there's any kind of connection you do NOT want to be made insecurely over the internet it's payment information. Payments were the original motivation for the invention of SSL/https: in the first place. It's very suspicious that those sites were not available securely and failed. Are they being blocked? Is there a certificate problem?

Blocks: https-first-mode
Flags: needinfo?(lyavor)

Hmm.
I can't reproduce it.
I tried to check if the bug exists in an older Firefox version but didn't find a version where this problem occurred.

@Ruslan Kunaev
Could you check if the problem still occurs for you? Maybe the site got updated or something?

Flags: needinfo?(lyavor) → needinfo?(Ruslan.Kunaev)

When testing from America I don't seem to get the option for yandex pay, only cash. Maybe because of sanctions they don't even try?

I did see a couple of mixed-content-blocked POSTs. One was to https://pinzeria.ru/delivery/index.php?route=checkout/cart/edit which starts out secure, but then returns a 302 redirect to http://pinzeria.ru/delivery/make_order/ which is what is actually getting blocked. But that's not what this bug is about.

So far, nobody has been able to reproduce. If the reporter does not respond back, we will close this bug as incomplete.

we can reopen this is we get more info

Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: