Closed Bug 1796100 Opened 2 years ago Closed 2 years ago

Timeout loading bdo.com.ph bank website with default en-US Accept-Language

Categories

(Web Compatibility :: Site Reports, defect)

Product:
Web Compatibility
Component:
Site Reports
Version:
Firefox 108
Platform:
All
Unspecified
Type:
defect

Tracking

(firefox-esr102 wontfix, firefox106 wontfix, firefox107 wontfix, firefox108 wontfix, firefox110 wontfix, firefox111 fixed)

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox-esr102 --- wontfix
firefox106 --- wontfix
firefox107 --- wontfix
firefox108 --- wontfix
firefox110 --- wontfix
firefox111 --- fixed

People

(Reporter: ke5trel, Assigned: ksenia)

References

(
URL
)

Details

STR:

  1. Visit https://www.bdo.com.ph (Philippine bank) on Ubuntu 22.04.

Fails with PR_IO_TIMEOUT_ERROR on Linux and PR_CONNECT_RESET_ERROR on Windows 10.

Worked prior to version 44 (Windows and Linux) and works on Chrome.

Workaround is to set network.http.accept-encoding.secure = gzip, deflate so that it doesn't include "br" (brotli).

Regression window:
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=a955ea9382afedd66ea0da21fcd2932465168d84&tochange=d01dd42e654b8735d86f9e7c723cc869a3b56798

Regressed by Bug 1211916.

This looks like a web compatibility issue to me.

Component: Networking: HTTP → Desktop
Product: Core → Web Compatibility

:kershaw, could you elaborate on what you think is going on here to definitively make this not an issue with Firefox's Brotli support? Is their web server simply serving different Brotli-encoded data to Firefox compared to Chrome based on the useragent/other headers that are sent? It would be good to know before we reach out to them (or design a site patch).

Flags: needinfo?(kershaw)

It turns out this has nothing to do with Brotli encoding, since Chrome also sends Accept-Encoding: gzip, deflate, br which is the same as Firefox does.
I used curl to find out which header causes the problem and it turns out it's the q-value of Accept-Language header. Please see the result below.

  1. Failed case
    I used curl to send the same request headers as Firefox did.
curl -v https://www.bdo.com.ph --header "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8" --header "Accept-Encoding: gzip, deflate, br" -A "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:107.0) Gecko/20100101 Firefox/107.0" --header "Connection: keep-alive" --header "Accept-Language: en-US,en;q=0.5"

Result: There is no response from the server.

*   Trying 23.37.54.103:443...
* Connected to www.bdo.com.ph (23.37.54.103) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-ECDSA-CHACHA20-POLY1305
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: jurisdictionCountryName=PH; businessCategory=Private Organization; serialNumber=0000034001; C=PH; L=Makati; O=BDO Unibank, Inc.; CN=www.bdo.com.ph
*  start date: Sep  6 00:00:00 2022 GMT
*  expire date: May  5 23:59:59 2023 GMT
*  subjectAltName: host "www.bdo.com.ph" matched cert's "www.bdo.com.ph"
*  issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert ECC Extended Validation Server CA
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: www.bdo.com.ph
> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:107.0) Gecko/20100101 Firefox/107.0
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
> Accept-Encoding: gzip, deflate, br
> Connection: keep-alive
> Accept-Language: en-US,en;q=0.5
>
  1. Success case
    I changed the Accept-Language to en-US,en;q=0.9, which is the same as Chrome.
curl -v https://www.bdo.com.ph --header "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8" --header "Accept-Encoding: gzip, deflate, br" -A "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:107.0) Gecko/20100101 Firefox/107.0" --header "Connection: keep-alive" --header "Accept-Language: en-US,en;q=0.9"

Got the response from server below.

*   Trying 23.37.54.103:443...
* Connected to www.bdo.com.ph (23.37.54.103) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-ECDSA-CHACHA20-POLY1305
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: jurisdictionCountryName=PH; businessCategory=Private Organization; serialNumber=0000034001; C=PH; L=Makati; O=BDO Unibank, Inc.; CN=www.bdo.com.ph
*  start date: Sep  6 00:00:00 2022 GMT
*  expire date: May  5 23:59:59 2023 GMT
*  subjectAltName: host "www.bdo.com.ph" matched cert's "www.bdo.com.ph"
*  issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert ECC Extended Validation Server CA
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: www.bdo.com.ph
> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:107.0) Gecko/20100101 Firefox/107.0
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
> Accept-Encoding: gzip, deflate, br
> Connection: keep-alive
> Accept-Language: en-US,en;q=0.9
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 302 Moved Temporarily
< Server: Apache
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Expires: Sun, 19 Nov 1978 05:00:00 GMT
< Cache-Control: no-cache, must-revalidate
< X-Content-Type-Options: nosniff
< Location: https://www.bdo.com.ph/personal
< X-Frame-Options: SAMEORIGIN
< Content-Length: 0
< Content-Type: text/html; charset=UTF-8
< Date: Thu, 20 Oct 2022 07:56:13 GMT
< Connection: keep-alive
< Set-Cookie: user_preferred_language=en; expires=Fri, 20-Oct-2023 07:56:04 GMT; Max-Age=31536000; path=/; secure; httponly
< Set-Cookie: SSESS6a8346878f2872c324eb013222fd1f10=ZLo9sHTLJ4xBh118hgA6D3VSVoqP7U1ulbsT_tjbdvw; path=/; domain=.bdo.com.ph; secure; HttpOnly
< Set-Cookie: PHPSESSID=A; path=/
< Server-Timing: cdn-cache; desc=MISS
< Server-Timing: edge; dur=5
< Server-Timing: origin; dur=816
< Set-Cookie: _abck=96EBA100BA85B9F0ADF21274E4E1DAC0~-1~YAAQUtd6XHV4x+eDAQAAg4pk9AiBXlkHrn734T0zLJjIwDP2M4VHbgBjCNytymeR6SfhqWt23j+Q0kKeRgL6iZB06eGkE6v0DcttDQnzCGcAc0J4FPyQjVq4kP7rI+pVEu+RWWoEvTzlle4wXNEJb0rsrTJQbrzBhUz6tSk/sgEzcL9GBaz8+2XGlmRxaw3qn3ch77kTA9vRQ+52XBe1+K2MXA2JgiDi766eqZ1jx520gGN29Yfx2Fpx9BHn5sSdIendi9UoIbeKG6joela9UwrUcHxDgtONyiwjajuFtKDTmGfubTXIHn95dZSzw7uTTSA1d7aaAO/Ys+K7HfXKCYeKZi+YytvrHDWiDwWoZByPmnGiXUONyG26x7sc~-1~-1~-1; Domain=.bdo.com.ph; Path=/; Expires=Fri, 20 Oct 2023 07:56:13 GMT; Max-Age=31536000; Secure
< Set-Cookie: ak_bmsc=192BC3E74080AD74ADA81205194968D0~000000000000000000000000000000~YAAQUtd6XHZ4x+eDAQAAg4pk9BGV4zA7WWEtoujKXuOeJbJbY/uU0HhihhD/qqfbB65JWpgvcSpO2IKVjUzRw9wUmFCcqruriRCCeMe2lnk8/ZFC5hhw72aolxVX18kheQIphLGeJShejvKt/qwYdkMLP/ikapylnh4Li/O+wsyKbRsBkjfBlLVb7yDQ2DfWH1cb1DuvItn0SvDbn9KL+pkCBV4rxMWFQlos7soQx6cIMNl3UBOO+O7SOZe5m7iQF5cYQvTJLpEUuH7t4vayf6p1M7MSY08LCVtCeMzWP5dIsUU7hncdqo5gA7acJLh4FP+1KspY8X25CUHkHY9WcponU7XORanASKX2qDe9g19jzUnkE3s5Wt5lmjW0AlMdSEo=; Domain=.bdo.com.ph; Path=/; Expires=Thu, 20 Oct 2022 09:56:12 GMT; Max-Age=7199; HttpOnly
< Set-Cookie: bm_sz=42127BAD4579B55C45AC5C1AFA4276D0~YAAQUtd6XHd4x+eDAQAAg4pk9BHz/tdfRZbuWr4ty0/y6VnWvOU4SL04ss921P6mm7T/FVhvmUL80Gz5P+1qMVh0f5xrH/mycudgT5a+FtKUZ6x2R4nUsqma6xNtTbnN5aktdtCta2Uw1jWpsFv7MsYoArnSJliZnvAAj/DLiNBBYpOF7r1Pn/6qLVdKzFdMXZdzcWw8qoYg78DQYjPp3iASQTRZtjaMWgLQE0UWIRHWFUPPNZngiqi2bKNcwBtnzWcUnRb9XGfMHA31mSNTm7TROMaNBBjkr8tZE/ySS1D64lE=~3424816~4274500; Domain=.bdo.com.ph; Path=/; Expires=Thu, 20 Oct 2022 11:56:12 GMT; Max-Age=14399
<
* Connection #0 to host www.bdo.com.ph left intact
Flags: needinfo?(kershaw)
Keywords: regression
No longer regressed by: 1211916

Can confirm loading fails for the default en-US Accept-Language, precisely en-US,en;q=0.5, changing any part of the string allows it to work.

Summary: Timeout loading bdo.com.ph bank website due to brotli Accept-Encoding → Timeout loading bdo.com.ph bank website with default en-US Accept-Language

We appreciate your report. I was able to reproduce the issue.

Tested with:

Browser / Version: Firefox Nightly 111.0a1 (2023-01-19) (64-bit) / Chrome Version 109.0.5414.75 (Official Build) (64-bit)
Operating System: Windows 10 PRO x64
Operating System: Ubuntu 20.4 LTS x64

Notes:

  1. Reproducible regardless of the status of ETP.
  2. Reproducible on the latest build of Firefox Nightly and Release.
  3. Works as expected using Chrome.
Assignee: nobody → kberezina
Status: NEW → ASSIGNED
status-firefox111: --- → affected
Depends on: 1811325

Filed bug1811325 for the Accept-Language header intervention

The intervention is shipped in bug1805408 and I can confirm that the site loads as expected in Nightly. The fix will get to release once it reaches version 111, so I think we can close this.

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.