Increased Protection mode for DNS-over-HTTPS (DoH) breaks captive portals
Categories
(Core :: Networking: DNS, defect, P2)
Tracking
()
People
(Reporter: tcampbell, Assigned: valentin)
References
(Blocks 2 open bugs, Regression)
Details
(Keywords: regression, Whiteboard: [necko-triaged][necko-priority-queue])
Attachments
(3 files)
48 bytes,
text/x-phabricator-request
|
Details | Review | |
48 bytes,
text/x-phabricator-request
|
phab-bot
:
approval-mozilla-beta+
|
Details | Review |
48 bytes,
text/x-phabricator-request
|
phab-bot
:
approval-mozilla-esr128+
|
Details | Review |
I've been having a lot of trouble with captive portals being detected by firefox, but when I click the button to view portal page it never loads. I've traced this down to having DoH configured to "Increased Protection" or higher. When Win11 captive portal detection asks to open in default browser (Firefox) I also get stuck.
The work around is to go to another browser to approve the portal which is a poor user experience. Perhaps we can have a better flow here similar to the work we did for HTTPS-Only mode.
Comment 1•10 months ago
|
||
Valentin,
Are aware of any existing captive portal issues that might cause this?
Reporter | ||
Comment 2•10 months ago
|
||
STR:
0) Randomize your WiFi MAC in Windows to "forget" previous captive login
- Enable "Increased Protection" DoH mode
- Close Firefox (so that it bootstraps again on next startup)
- Connect to "Hilton Honors" WiFi
- Start Firefox and wait a few seconds for captive portal prompt in Firefox to appear under address bar
- Click the button in prompt to login into captive portal
Expected:
A new tab with captive portal loads
Actual:
New tab is blank and loads forever
Additionally, after even longer waiting the Windows captive portal detection kicks in and it tries to use http://www.msftconnecttest.com/redirect
as the portal which does actually resolve to the portal page. Perhaps the special handling of the Firefox Captive Portal in TRR is acting funny?
Assignee | ||
Comment 3•10 months ago
|
||
Theoretically, Increased protection should cause it to fallback to native DNS if it fails. And even if it doesn't, if you open the captive portal window via the notification banner, everything inside the window should not use DoH.
Could you maybe capture a profile in about:logging with the Networking preset and send the link to necko@mozilla.com?
If you can do that with a new profile so no private information is captured it would be even better. Thanks!
Assignee | ||
Updated•9 months ago
|
Updated•5 months ago
|
Comment 4•5 months ago
|
||
Ted, any chance of logs?
Reporter | ||
Comment 5•5 months ago
|
||
Sorry, I must not have finished capturing the process logs before I left the hotel and that laptop is no more.
Assignee | ||
Comment 6•5 months ago
|
||
I actually had the chance to test this in the airport before I left.
It seems that the mechanism to set the TRR mode for the captive portal login page got broken at some point in the past, but we didn't notice because we didn't have a test for it.
I managed to write one up, which I'll be posting soon. And I'll try to bisect to figure out when this got regressed.
Assignee | ||
Comment 7•5 months ago
|
||
I did a mozregression and it seems this broke quite a while ago:
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=a34695d9b99d1e9098e846b751c9adf1f52ee760&tochange=bc0932b38478abd600cae2b23c5f78381e80d0e8
Most likely in bug 1633310.
Assignee | ||
Updated•5 months ago
|
Comment 8•5 months ago
|
||
Set release status flags based on info from the regressing bug 1602318
Assignee | ||
Comment 9•5 months ago
|
||
It would seem sometimes in Firefox 77 we regressed the ability to set the TRR
mode for a browsing context when opening a new tab.
I confirmed that this bug didn't happen in Fx 77 when setting the
browser.tabs.documentchannel.parent-initiated
pref to false
.
The nsIWebNavigation::LOAD_FLAGS_DISABLE_TRR is correctly passed into
CanonicalBrowsingContext, but it doesn't end up getting used.
This sets the appropriate DefaultLoadFlags for the CanonicalBrowsingContext
when the LOAD_FLAGS_DISABLE_TRR or LOAD_TRR_ONLY_MODE flags are present.
Updated•5 months ago
|
Comment 10•5 months ago
|
||
Comment 11•5 months ago
|
||
Set release status flags based on info from the regressing bug 1602318
Comment 12•5 months ago
|
||
bugherder |
Comment 13•5 months ago
•
|
||
Please nominate this for Beta and ESR128 approval when you get a chance.
Updated•5 months ago
|
Assignee | ||
Comment 14•5 months ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM] from comment #13)
Please nominate this for Beta and ESR128 approval when you get a chance.
I wrote a test for it in bug 1913692 which landed along with this patch.
Assignee | ||
Comment 15•5 months ago
|
||
It would seem sometimes in Firefox 77 we regressed the ability to set the TRR
mode for a browsing context when opening a new tab.
I confirmed that this bug didn't happen in Fx 77 when setting the
browser.tabs.documentchannel.parent-initiated
pref to false
.
The nsIWebNavigation::LOAD_FLAGS_DISABLE_TRR is correctly passed into
CanonicalBrowsingContext, but it doesn't end up getting used.
This sets the appropriate DefaultLoadFlags for BrowsingContext
when the LOAD_FLAGS_DISABLE_TRR or LOAD_TRR_ONLY_MODE flags are present
in nsDocShellLoadState::LoadFlags()
Original Revision: https://phabricator.services.mozilla.com/D220550
Updated•5 months ago
|
Assignee | ||
Comment 16•5 months ago
|
||
Steps to reproduce:
- Set
network.trr.exclude-etc-hosts
to false. - Set
network.trr.mode
to 2 or 3 - Start a local server to simulate the captive portal on port 80
- add
127.0.0.1 detectportal.firefox.com
to/etc/hosts
- restart firefox
- click on the captive portal banner
- check that the captive portal opens a page from the local server (the public one redirects to https://support.mozilla.org/en-US/kb/captive-portal)
- remember to clear the prefs and /etc/hosts after the test
Comment 17•5 months ago
|
||
beta Uplift Approval Request
- User impact if declined: Users using DoH in increased/max protection modes (2 and 3) might have difficulty in logging into the captive portal.
- Code covered by automated testing: yes
- Fix verified in Nightly: yes
- Needs manual QE test: yes
- Steps to reproduce for manual QE testing: See comment 16
- Risk associated with taking this patch: Low
- Explanation of risk level: Fixes regressed behaviour.
- String changes made/needed: no
- Is Android affected?: no
Updated•5 months ago
|
Updated•5 months ago
|
Comment 18•5 months ago
|
||
uplift |
Updated•5 months ago
|
Comment 19•5 months ago
|
||
Hello! I could not reproduce the issue by following the steps from comment 16. By adding 127.0.0.1 detectportal.firefox.com
to the /etc/hosts
file, starting a Python HTTP server on port 80, and adjusting the prefs inside Firefox, Firefox will not display the captive portal banner after a restart.However I have a router set with captive portal and I could reproduce the issue with Firefox 130.0 on Windows 10x64 but only by setting DoH to Max Protection (network.trr.mode to 3). After Firefox is reopened clicking the Open network login page
button from the captive portal banner will open a new blank tab with infinite loading. Note that the issue does not reproduce for me with Increased Protection (network.trr.mode to 2) on an affected build.
I followed the next steps to reproduce/ verify the issue (Windows 10x64 and Ubuntu 24.04 are desktop machines with USB Wifi stick):
- Set Firefox DoH to Max Protection in about:preferences#privacy (network.trr.mode:3)
- Set the captive portal router and disable the ethernet adapter.
- Connect to Captive portal Wifi and close Firefox.
- Open Firefox and click the
Open network login page
button from the captive portal banner.
Expected Result: The captive portal page is opened (no infinite loading in a blank tab)
Following the above steps I can no longer reproduce the issue with Firefox 131.0b4 and 132.0a1 (2024-09-09) on Windows 10x64, macOS 12 and Ubuntu 24. Verified with Increase Protection and Max Protection. Just to be sure is the above verification correct giving the fact that I could only reproduce the issue with network.trr.mode:3
? Thank you!
Assignee | ||
Comment 20•5 months ago
|
||
Hi Alexandru, thank you for checking.
I think what was missing from my steps list was making sure there's a canonical.html file served by the webserver with arbitrary content.
I think testing with a real captive portal device in mode3 is enough to confirm this is fixed. Thanks!
Comment 21•5 months ago
|
||
(In reply to Valentin Gosu [:valentin] (he/him) from comment #20)
Hi Alexandru, thank you for checking.
I think what was missing from my steps list was making sure there's a canonical.html file served by the webserver with arbitrary content.
I think testing with a real captive portal device in mode3 is enough to confirm this is fixed. Thanks!
Thank you! Setting flags accordingly.
Assignee | ||
Comment 22•3 months ago
|
||
It would seem sometimes in Firefox 77 we regressed the ability to set the TRR
mode for a browsing context when opening a new tab.
I confirmed that this bug didn't happen in Fx 77 when setting the
browser.tabs.documentchannel.parent-initiated
pref to false
.
The nsIWebNavigation::LOAD_FLAGS_DISABLE_TRR is correctly passed into
CanonicalBrowsingContext, but it doesn't end up getting used.
This sets the appropriate DefaultLoadFlags for BrowsingContext
when the LOAD_FLAGS_DISABLE_TRR or LOAD_TRR_ONLY_MODE flags are present
in nsDocShellLoadState::LoadFlags()
Original Revision: https://phabricator.services.mozilla.com/D220550
Updated•3 months ago
|
Comment 23•3 months ago
|
||
esr128 Uplift Approval Request
- User impact if declined: Users using DoH in increased/max protection modes (2 and 3) might have difficulty in logging into the captive portal.
- Code covered by automated testing: yes
- Fix verified in Nightly: yes
- Needs manual QE test: no
- Steps to reproduce for manual QE testing: See comment 16 and 20
- Risk associated with taking this patch: low.
- Explanation of risk level: The code has been on Nightly/Beta for more than a month. No regressions seen in Release 131.
- String changes made/needed: None
- Is Android affected?: no
Updated•3 months ago
|
Comment 24•3 months ago
|
||
uplift |
Updated•3 months ago
|
Comment 25•3 months ago
|
||
Verified fixed with Firefox 128.4.0esr by using steps from comment 19 on Windows 10x64, macOS 12 and Ubuntu 24.04 and on Windows 10x64 by using steps from comment 16 (network.trr.mode 2 and 3). The captive portal page is correctly opened.
Description
•