Timeout loading bdo.com.ph bank website with default en-US Accept-Language
Categories
(Web Compatibility :: Site Reports, defect)
Tracking
(firefox-esr102 wontfix, firefox106 wontfix, firefox107 wontfix, firefox108 wontfix, firefox110 wontfix, firefox111 fixed)
People
(Reporter: ke5trel, Assigned: ksenia)
References
()
Details
STR:
- Visit https://www.bdo.com.ph (Philippine bank) on Ubuntu 22.04.
Fails with PR_IO_TIMEOUT_ERROR
on Linux and PR_CONNECT_RESET_ERROR
on Windows 10.
Worked prior to version 44 (Windows and Linux) and works on Chrome.
Workaround is to set network.http.accept-encoding.secure = gzip, deflate
so that it doesn't include "br" (brotli).
Regression window:
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=a955ea9382afedd66ea0da21fcd2932465168d84&tochange=d01dd42e654b8735d86f9e7c723cc869a3b56798
Regressed by Bug 1211916.
Comment 1•2 years ago
|
||
This looks like a web compatibility issue to me.
Comment 2•2 years ago
|
||
:kershaw, could you elaborate on what you think is going on here to definitively make this not an issue with Firefox's Brotli support? Is their web server simply serving different Brotli-encoded data to Firefox compared to Chrome based on the useragent/other headers that are sent? It would be good to know before we reach out to them (or design a site patch).
Comment 3•2 years ago
|
||
It turns out this has nothing to do with Brotli encoding, since Chrome also sends Accept-Encoding: gzip, deflate, br
which is the same as Firefox does.
I used curl to find out which header causes the problem and it turns out it's the q-value of Accept-Language
header. Please see the result below.
- Failed case
I used curl to send the same request headers as Firefox did.
curl -v https://www.bdo.com.ph --header "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8" --header "Accept-Encoding: gzip, deflate, br" -A "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:107.0) Gecko/20100101 Firefox/107.0" --header "Connection: keep-alive" --header "Accept-Language: en-US,en;q=0.5"
Result: There is no response from the server.
* Trying 23.37.54.103:443...
* Connected to www.bdo.com.ph (23.37.54.103) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
* CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-ECDSA-CHACHA20-POLY1305
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: jurisdictionCountryName=PH; businessCategory=Private Organization; serialNumber=0000034001; C=PH; L=Makati; O=BDO Unibank, Inc.; CN=www.bdo.com.ph
* start date: Sep 6 00:00:00 2022 GMT
* expire date: May 5 23:59:59 2023 GMT
* subjectAltName: host "www.bdo.com.ph" matched cert's "www.bdo.com.ph"
* issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert ECC Extended Validation Server CA
* SSL certificate verify ok.
> GET / HTTP/1.1
> Host: www.bdo.com.ph
> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:107.0) Gecko/20100101 Firefox/107.0
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
> Accept-Encoding: gzip, deflate, br
> Connection: keep-alive
> Accept-Language: en-US,en;q=0.5
>
- Success case
I changed theAccept-Language
toen-US,en;q=0.9
, which is the same as Chrome.
curl -v https://www.bdo.com.ph --header "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8" --header "Accept-Encoding: gzip, deflate, br" -A "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:107.0) Gecko/20100101 Firefox/107.0" --header "Connection: keep-alive" --header "Accept-Language: en-US,en;q=0.9"
Got the response from server below.
* Trying 23.37.54.103:443...
* Connected to www.bdo.com.ph (23.37.54.103) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
* CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-ECDSA-CHACHA20-POLY1305
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: jurisdictionCountryName=PH; businessCategory=Private Organization; serialNumber=0000034001; C=PH; L=Makati; O=BDO Unibank, Inc.; CN=www.bdo.com.ph
* start date: Sep 6 00:00:00 2022 GMT
* expire date: May 5 23:59:59 2023 GMT
* subjectAltName: host "www.bdo.com.ph" matched cert's "www.bdo.com.ph"
* issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert ECC Extended Validation Server CA
* SSL certificate verify ok.
> GET / HTTP/1.1
> Host: www.bdo.com.ph
> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:107.0) Gecko/20100101 Firefox/107.0
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
> Accept-Encoding: gzip, deflate, br
> Connection: keep-alive
> Accept-Language: en-US,en;q=0.9
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 302 Moved Temporarily
< Server: Apache
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Expires: Sun, 19 Nov 1978 05:00:00 GMT
< Cache-Control: no-cache, must-revalidate
< X-Content-Type-Options: nosniff
< Location: https://www.bdo.com.ph/personal
< X-Frame-Options: SAMEORIGIN
< Content-Length: 0
< Content-Type: text/html; charset=UTF-8
< Date: Thu, 20 Oct 2022 07:56:13 GMT
< Connection: keep-alive
< Set-Cookie: user_preferred_language=en; expires=Fri, 20-Oct-2023 07:56:04 GMT; Max-Age=31536000; path=/; secure; httponly
< Set-Cookie: SSESS6a8346878f2872c324eb013222fd1f10=ZLo9sHTLJ4xBh118hgA6D3VSVoqP7U1ulbsT_tjbdvw; path=/; domain=.bdo.com.ph; secure; HttpOnly
< Set-Cookie: PHPSESSID=A; path=/
< Server-Timing: cdn-cache; desc=MISS
< Server-Timing: edge; dur=5
< Server-Timing: origin; dur=816
< Set-Cookie: _abck=96EBA100BA85B9F0ADF21274E4E1DAC0~-1~YAAQUtd6XHV4x+eDAQAAg4pk9AiBXlkHrn734T0zLJjIwDP2M4VHbgBjCNytymeR6SfhqWt23j+Q0kKeRgL6iZB06eGkE6v0DcttDQnzCGcAc0J4FPyQjVq4kP7rI+pVEu+RWWoEvTzlle4wXNEJb0rsrTJQbrzBhUz6tSk/sgEzcL9GBaz8+2XGlmRxaw3qn3ch77kTA9vRQ+52XBe1+K2MXA2JgiDi766eqZ1jx520gGN29Yfx2Fpx9BHn5sSdIendi9UoIbeKG6joela9UwrUcHxDgtONyiwjajuFtKDTmGfubTXIHn95dZSzw7uTTSA1d7aaAO/Ys+K7HfXKCYeKZi+YytvrHDWiDwWoZByPmnGiXUONyG26x7sc~-1~-1~-1; Domain=.bdo.com.ph; Path=/; Expires=Fri, 20 Oct 2023 07:56:13 GMT; Max-Age=31536000; Secure
< Set-Cookie: ak_bmsc=192BC3E74080AD74ADA81205194968D0~000000000000000000000000000000~YAAQUtd6XHZ4x+eDAQAAg4pk9BGV4zA7WWEtoujKXuOeJbJbY/uU0HhihhD/qqfbB65JWpgvcSpO2IKVjUzRw9wUmFCcqruriRCCeMe2lnk8/ZFC5hhw72aolxVX18kheQIphLGeJShejvKt/qwYdkMLP/ikapylnh4Li/O+wsyKbRsBkjfBlLVb7yDQ2DfWH1cb1DuvItn0SvDbn9KL+pkCBV4rxMWFQlos7soQx6cIMNl3UBOO+O7SOZe5m7iQF5cYQvTJLpEUuH7t4vayf6p1M7MSY08LCVtCeMzWP5dIsUU7hncdqo5gA7acJLh4FP+1KspY8X25CUHkHY9WcponU7XORanASKX2qDe9g19jzUnkE3s5Wt5lmjW0AlMdSEo=; Domain=.bdo.com.ph; Path=/; Expires=Thu, 20 Oct 2022 09:56:12 GMT; Max-Age=7199; HttpOnly
< Set-Cookie: bm_sz=42127BAD4579B55C45AC5C1AFA4276D0~YAAQUtd6XHd4x+eDAQAAg4pk9BHz/tdfRZbuWr4ty0/y6VnWvOU4SL04ss921P6mm7T/FVhvmUL80Gz5P+1qMVh0f5xrH/mycudgT5a+FtKUZ6x2R4nUsqma6xNtTbnN5aktdtCta2Uw1jWpsFv7MsYoArnSJliZnvAAj/DLiNBBYpOF7r1Pn/6qLVdKzFdMXZdzcWw8qoYg78DQYjPp3iASQTRZtjaMWgLQE0UWIRHWFUPPNZngiqi2bKNcwBtnzWcUnRb9XGfMHA31mSNTm7TROMaNBBjkr8tZE/ySS1D64lE=~3424816~4274500; Domain=.bdo.com.ph; Path=/; Expires=Thu, 20 Oct 2022 11:56:12 GMT; Max-Age=14399
<
* Connection #0 to host www.bdo.com.ph left intact
Can confirm loading fails for the default en-US Accept-Language, precisely en-US,en;q=0.5
, changing any part of the string allows it to work.
Comment 5•2 years ago
|
||
We appreciate your report. I was able to reproduce the issue.
Tested with:
Browser / Version: Firefox Nightly 111.0a1 (2023-01-19) (64-bit) / Chrome Version 109.0.5414.75 (Official Build) (64-bit)
Operating System: Windows 10 PRO x64
Operating System: Ubuntu 20.4 LTS x64
Notes:
- Reproducible regardless of the status of ETP.
- Reproducible on the latest build of Firefox Nightly and Release.
- Works as expected using Chrome.
Assignee | ||
Comment 6•2 years ago
•
|
||
Filed bug1811325 for the Accept-Language header intervention
Assignee | ||
Comment 7•2 years ago
|
||
The intervention is shipped in bug1805408 and I can confirm that the site loads as expected in Nightly. The fix will get to release once it reaches version 111, so I think we can close this.
Updated•2 years ago
|
Description
•