Firefox drops Authorization header when upgrading a connection to https
Categories
(Core :: Networking: HTTP, defect, P2)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr102 | --- | unaffected |
| firefox111 | --- | wontfix |
| firefox112 | --- | fixed |
| firefox113 | --- | fixed |
People
(Reporter: mozilla-bugzilla, Assigned: smayya)
References
(Regression)
Details
(Keywords: regression, Whiteboard: [necko-triaged])
Attachments
(1 file)
|
48 bytes,
text/x-phabricator-request
|
diannaS
:
approval-mozilla-beta+
|
Details | Review |
Steps to reproduce:
I'm hitting this bug in Firefox Beta 112.0b2: https://bugzilla.mozilla.org/show_bug.cgi?id=1817980 - not sure if the fix is just not included there or if it was not fixed.
Steps to reproduce:
- Enable HTTPS only mode
- Open https://try.vikunja.io
- In "Storage" > "Local Storage" change the value of the API_URL saved to start with http instead of https
- Now try to log in with demo / demo
Actual results:
Login fails. If you do the same with dev tools open, you can see how the request after the login request to /user fails with an error code 401 because the Authorization header is not present.
Expected results:
The login should have worked.
|
||
Comment 1•1 year ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::DOM: Security' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
|
||
Comment 2•1 year ago
|
||
(In reply to Konrad from comment #0)
Steps to reproduce:
I'm hitting this bug in Firefox Beta 112.0b2: https://bugzilla.mozilla.org/show_bug.cgi?id=1817980 - not sure if the fix is just not included there or if it was not fixed.
See https://bugzilla.mozilla.org/show_bug.cgi?id=1817980#c20, the fix was there after 111.0b8, so I assume this is fixed.
Feel free to reopen if this is not fixed. Thanks.
|
||
Comment 3•1 year ago
|
||
This is happening in 112.0b2, so not fixed.
Also looking at the code it occurred to me that we shouldn't strip the header for internal redirects/sts upgrade.
Same in XMLHttpRequestMainThread.cpp and FetchDriver.cpp.
Sunil, do you have time to work on this?
|
|
||
Comment 4•1 year ago
|
||
Set release status flags based on info from the regressing bug 1802086
|
Assignee | |
Updated•1 year ago
|
|
|
Assignee | |
Comment 5•1 year ago
|
||
|
||
Updated•1 year ago
|
|
||
Updated•1 year ago
|
Pushed by smayya@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/bf3b3a92d500 do not drop auth header for HSTS and internal redirects. r=necko-reviewers,valentin
|
||
Comment 7•1 year ago
|
||
| bugherder | ||
|
|
||
Comment 8•1 year ago
|
||
The patch landed in nightly and beta is affected.
:smayya, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- If no, please set
status-firefox112towontfix.
For more information, please visit auto_nag documentation.
|
|
Assignee | |
Comment 9•1 year ago
|
||
Comment on attachment 9324861 [details]
Bug 1823502 - do not drop auth header for HSTS and internal redirects. r=#necko
Beta/Release Uplift Approval Request
- User impact if declined: Authorization failures for internal redirects
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Medium
- Why is the change risky/not risky? (and alternatives if risky): Change is not too risky as the behavior can be controlled using pref.
- String changes made/needed:
- Is Android affected?: Yes
|
||
Comment 10•1 year ago
|
||
Comment on attachment 9324861 [details]
Bug 1823502 - do not drop auth header for HSTS and internal redirects. r=#necko
Approved for 112.0b8
|
|
||
Comment 11•1 year ago
|
||
| bugherder uplift | ||
Description
•