First twitch.tv log in fails in private windows due to HTTPS-First and in normal windows since dom.security.https_first_schemeless was enabled
Categories
(Core :: DOM: Security, defect, P3)
Tracking
()
People
(Reporter: ke5trel, Assigned: maltejur)
References
(Blocks 2 open bugs, Regression, )
Details
(Keywords: regression, Whiteboard: [domsecurity-active])
Attachments
(4 files)
323.83 KB,
image/png
|
Details | |
48 bytes,
text/x-phabricator-request
|
Details | Review | |
48 bytes,
text/x-phabricator-request
|
phab-bot
:
approval-mozilla-beta+
|
Details | Review |
48 bytes,
text/x-phabricator-request
|
phab-bot
:
approval-mozilla-esr115+
|
Details | Review |
STR:
- Clear all cookies and restart the browser.
- Visit twitch.tv and attempt to log in with a random username & password.
Expected:
"This username does not exist." quickly appears.
Actual:
"Your browser is not currently supported." appears after some delay.
Reloading page allows log in to work until clearing cookies and restarting.
Does not happen with dom.security.https_first_schemeless = false
.
Regression window:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=60c35d4b7fc7e53ca892030e14d775d108f1cbf8&tochange=634166177399b328d66e1e183a4ff52c92551cfe
Regressed by Bug 1863281.
Comment 1•4 months ago
|
||
:mjurgens, since you are the author of the regressor, bug 1863281, could you take a look? Also, could you set the severity field?
For more information, please visit BugBot documentation.
Updated•4 months ago
|
Assignee | ||
Comment 2•4 months ago
|
||
Thanks for reporting, I can confirm this behavior. From my current observations, this is only happening if the server is responding with a error code on a subresource (in my case 429 too many requests on a graphql request). For some reason HTTPS-First thinks that it upgraded that subresource load (which it shouldn't have, because only schemeless HTTPS-First is enabled, and even normal HTTPS-First doesn't upgrade subresources). That means that HTTPS-First will "downgrade" that load again, as it received an error from the server, and it thinks that error was caused by a upgrade. That downgraded HTTP request is then being blocked by mixed content protection, which seemingly makes twitch display "Your browser is not currently supported".
The good news is that, from my understanding, we aren't actually preventing any logins to Twitch, but just "masking" the actual error (too many requests). But this is still very wrong behavior which will probably also cause issues elsewhere, so it should be fixed as soon as possible.
Assignee | ||
Comment 3•4 months ago
|
||
Assignee | ||
Comment 4•4 months ago
|
||
Comment hidden (obsolete) |
Comment hidden (obsolete) |
Updated•3 months ago
|
Updated•3 months ago
|
Comment 7•3 months ago
|
||
Does that bug also affect HTTPS-First mode (which is enabled by default in private browsing)?
Assignee | ||
Comment 8•3 months ago
|
||
Yes, it is reproducible for me in 123.0.1 Release with PBM
Updated•3 months ago
|
Release is currently affected in private windows unless changing dom.security.https_first_pbm = false
.
Regressed by Bug 1716991.
Updated•3 months ago
|
Updated•3 months ago
|
Comment 10•3 months ago
|
||
:mjurgens the patch attached here is reviewed. Do you aim to land it shortly?
Wondering if this will be safe to uplift, or should it ride the train with Fx127?
Assignee | ||
Comment 11•3 months ago
|
||
:dmeehan yes, I will land it now. Sorry about the delay, I was out of office the last days and before that didn't want to land because of the freeze. I think this should be uplifted, and I will request to do so in about a week when this patch doesn't cause any problems in Nightly.
Comment 12•3 months ago
|
||
Pushed by mjurgens@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/28b2b5bfbed5 Do not copy over HTTPS-First upgrade flag into new loadinfo r=necko-reviewers,freddyb,simonf,jesup
Comment 13•3 months ago
|
||
Backed out changeset 28b2b5bfbed5 (Bug 1885949) for causing http related mochitest failures CLOSED TREE
Log: https://treeherder.mozilla.org/logviewer?job_id=454866488&repo=autoland&lineNumber=2132
Backout: https://hg.mozilla.org/integration/autoland/rev/45015ee8ccea091465ea87b6c3ae7d84a3dc9150
Comment 14•3 months ago
|
||
Pushed by imoraru@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/e713aef26079 Do not copy over HTTPS-First upgrade flag into new loadinfo r=necko-reviewers,freddyb,simonf,jesup r=reland
Comment 15•3 months ago
|
||
We found the actual revision that caused the failures and this is now re-landed. Sorry for any inconvenience caused by the backout.
Comment 16•3 months ago
|
||
bugherder |
Comment 17•3 months ago
|
||
The patch landed in nightly and beta is affected.
:mjurgens, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- If no, please set
status-firefox126
towontfix
.
For more information, please visit BugBot documentation.
Assignee | ||
Comment 18•3 months ago
|
||
[Tracking Requested - why for this release]:
This patch fixes a issue with HTTPS-First mode, which surfaces both through the schemeless HTTPS-First mechanism enabled in Nightly, and through HTTPS-First being generally enabled in PBM in Release and ESR. This issue isn't severe, as it only affects very specific server responses which already an error status code. But it is causing web compatibility issues on a prominent site (twitch.tv), and possibly others.
Comment 19•3 months ago
|
||
:mjurgens this could be uplifted for Fx126 but it will need an uplift request for beta - see https://wiki.mozilla.org/Release_Management/Requesting_an_Uplift
Or someone on your team could support you.
There are two regressor bugs - Bug 1863281 mentions dom.security.https_first_schemeless
which is only enabled in early beta.
Can you confirm ESR115 is actually affected?
Updated•3 months ago
|
Assignee | ||
Comment 20•3 months ago
|
||
Yes, I can confirm that this is actually also affects ESR115. This is a problem with HTTPS-First in general, which is enabled by default in ESR in private browsing mode. Bug 1863281 is marked as a regressor, as it makes the issue also appear in normal browsing.
I will request a uplift for beta (and possibly esr) next week when the patch has been in Nightly for a few days.
Updated•2 months ago
|
Assignee | ||
Comment 21•2 months ago
|
||
Original Revision: https://phabricator.services.mozilla.com/D205048
Updated•2 months ago
|
Comment 22•2 months ago
|
||
beta Uplift Approval Request
- User impact if declined: Some users in PBM may see confusing "Your browser is not currently supported" error messages on the twitch.tv login page when they should receive another error message
- Code covered by automated testing: yes
- Fix verified in Nightly: yes
- Needs manual QE test: no
- Steps to reproduce for manual QE testing: Follow the STR in https://bugzilla.mozilla.org/show_bug.cgi?id=1885949#c0
- Risk associated with taking this patch: Low
- Explanation of risk level: The patch is not complex and has sat in Nightly for a few days now without any problems. Additionally, a lot of the HTTPS-First behaviour is covered by automated testing.
- String changes made/needed: -
- Is Android affected?: yes
Updated•2 months ago
|
Updated•2 months ago
|
Comment 23•2 months ago
|
||
uplift |
https://hg.mozilla.org/releases/mozilla-beta/rev/7d0f32ab9f83
Assignee | ||
Comment 25•2 months ago
|
||
Original Revision: https://phabricator.services.mozilla.com/D205048
Updated•2 months ago
|
Comment 26•2 months ago
|
||
esr115 Uplift Approval Request
- User impact if declined: Some users in PBM may see confusing "Your browser is not currently supported" error messages on the twitch.tv login page when they should receive another error message
- Code covered by automated testing: yes
- Fix verified in Nightly: yes
- Needs manual QE test: no
- Steps to reproduce for manual QE testing: Follow the STR in https://bugzilla.mozilla.org/show_bug.cgi?id=1885949#c0
- Risk associated with taking this patch: Low
- Explanation of risk level: The patch is not complex and has caused no problems in Nightly or Beta in the last weeks. Additionally, a lot of the HTTPS-First behaviour is covered by automated testing.
- String changes made/needed: -
- Is Android affected?: yes
Assignee | ||
Updated•2 months ago
|
Updated•2 months ago
|
Comment 27•2 months ago
|
||
uplift |
https://hg.mozilla.org/releases/mozilla-esr115/rev/36d2dde06733
Updated•2 months ago
|
Updated•2 months ago
|
Updated•2 months ago
|
Comment 28•2 months ago
|
||
I was unable to reproduce the issue while following the steps described in Comment 0, but I was able to replicate the issue on an affected Firefox Nightly 126.0a1 build from (2024-03-18), under macOS 12.6.6 and Windows 11 as follows:
- launch Firefox with a new profile, go to twitch.tv and attempt to log in with a random username and password
- go to twitch.tv while in PBM mode and attempt to log in with a random username and password (managed to reproduce on Firefox Release 125.0.3 as well)
Verified as fixed on on Firefox 115.11.0esr build ID 20240506144012, Firefox 126.0 RC build ID 20240506203248 and on Firefox Nightly 127.0a1 build ID 20240507214419, using macOS 12.6.6 / macOS 13.6.1, Windows 11 and Ubuntu 22.04.
"This username does not exist." / "That password was incorrect. Please try again." error message is displayed after attempting to log in with a random username and password while following the steps mentioned above.
@ke5trel, since I was unable to reproduce the issue with the steps described in Comment 0, could you please verify that you are no longer able to reproduce the issue? Thank you in advance!
Reporter | ||
Comment 29•2 months ago
|
||
@bhidecuti, your steps to reproduce the issue sound sufficient.
I cannot reproduce it on the latest Nightly 127.0a1 (2024-05-07) or latest Beta 126.0b9 with a normal/private window.
Comment 30•2 months ago
|
||
Thank you for the verification, Kestrel!
Based on Comment 28 and Comment 29 I am marking this verified as fixed.
Description
•