1868348 - Distinguish redirect loop caused by endless HTTPS-HTTP loop

Status: RESOLVED WONTFIX

(Core :: Networking: HTTP, task, P2)

Description

[Kershaw Chang [:kershaw]]

Currently, Firefox fails to differentiate between redirect loops caused by a cycle between HTTPS and HTTP and other types of redirect loops. Currently, we use the same error code NS_ERROR_REDIRECT_LOOP and show the same error page, leading to potential misinterpretation and difficulty in troubleshooting HTTPS and HTTP loop caused by HTTPS-only or HTTPS-first mode.

The first step might be using a different error code for HTTPS-HTTP loop.

Comment 1

[Manuel Bucher [:manuel]]

Currently we show the HTTPS-only error page for errors where a https-only upgrade was involved (including the redirect loop). In some cases this doesn't trigger (when starting at the https page, because then no real https-only upgrade was triggered, only the loop detection). Https-first doesn't show a redirect loop at all, it just loads the http page.

What could be added is to

• show the https-only error page when https-only mode is enabled and the user startet at the https page (i.e. enters https://example.com/ and it redirects to http://example.com
• don't show the https-only error page when the page has hsts enabled, because hsts has higher priority than https-only mode.

Comment 2

[Valentin Gosu [:valentin] (he/him)]

I guess what we need here is:

• A test for this situation
• A new error code in ErrorList.py
• Return the new error code in nsHttpChannel when upgrading the channel to secure (and a channel in the redirect chain also did a HTTPS upgrade using secure)?

Comment 3

[Sean Kim [:sekim]]

Hello Kershaw,

Do you have any thoughts on the starting point of this bug? (when checking for a cycle between HTTPS and HTTP)

Perhaps these returns?:
https://searchfox.org/mozilla-central/rev/be3db2aef8d3916c891527794a2d5e2f2dc9fab1/netwerk/protocol/http/HttpBaseChannel.cpp#6148
https://searchfox.org/mozilla-central/rev/be3db2aef8d3916c891527794a2d5e2f2dc9fab1/netwerk/protocol/http/HttpBaseChannel.cpp#6159
https://searchfox.org/mozilla-central/rev/be3db2aef8d3916c891527794a2d5e2f2dc9fab1/netwerk/protocol/http/HttpBaseChannel.cpp#6186

Comment 4

[Sean Kim [:sekim]]

Attachment: Bug 1868348 - Part 1: Introduce a new error for endless HTTP-HTTPS loop to make it distinguishable from NS_ERROR_REDIRECT_LOOP r=#necko

Comment 5

[Kershaw Chang [:kershaw]]

(In reply to Sean Kim from comment #3)

Hello Kershaw,

Do you have any thoughts on the starting point of this bug? (when checking for a cycle between HTTPS and HTTP)

Perhaps these returns?:
https://searchfox.org/mozilla-central/rev/be3db2aef8d3916c891527794a2d5e2f2dc9fab1/netwerk/protocol/http/HttpBaseChannel.cpp#6148
https://searchfox.org/mozilla-central/rev/be3db2aef8d3916c891527794a2d5e2f2dc9fab1/netwerk/protocol/http/HttpBaseChannel.cpp#6159
https://searchfox.org/mozilla-central/rev/be3db2aef8d3916c891527794a2d5e2f2dc9fab1/netwerk/protocol/http/HttpBaseChannel.cpp#6186

Yes, these are the places where we return NS_ERROR_REDIRECT_LOOP.
In addition, I think you might want to take a look at IsUpgradeDowngradeEndlessLoop as well.

Comment 6

[Sean Kim [:sekim]]

Attachment: Bug 1868348 - Part 2: Handle NS_ERROR_HTTP_HTTPS_REDIRECT_LOOP in the prior use cases r=#necko

Comment 7

[Sean Kim [:sekim]]

Attachment: WIP: Bug 1868348 - Part 3: Create an error page for HTTP-HTTPS redirect loops r=#necko

Comment 8

[Sean Kim [:sekim]]

I think we are handling the cases correctly and showing the correct error page:

1. When HTTPS-only mode is enabled + redirect loop, we show the HTTPS-only exception page
2. When HTTPS-first mode is enabled: When we detect a redirect loop, we show the default redirect loop error page.

If there are any unexpected mismatches in the future, please feel free to reopen this bug.