Closed Bug 1908115 Opened 4 months ago Closed 4 months ago

Regression: NTLM credentials are erroneously requested on location.reload

Categories

(Core :: Networking, defect, P1)

Product:
Core
Component:
Networking
Version:
Firefox 128
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
130 Branch
Tracking Flags:
Tracking Status
relnote-firefox --- 128+
firefox-esr115 --- unaffected
firefox-esr128 --- fixed
firefox128 --- fixed
firefox129 --- fixed
firefox130 --- fixed

People

(Reporter: gserg.g, Assigned: smayya)

References

(Regression)

Details

(Keywords: regression, Whiteboard: [necko-triaged][necko-priority-queue])

Attachments

(2 files)

firefox_log.txt-main.13936.zip
64.48 KB, application/octet-stream
Details
Bug 1908115 - disable network.auth.use_redirect_for_retries for release. r=#necko
48 bytes, text/x-phabricator-request
dmeehan
: approval-mozilla-beta+
RyanVM
: approval-mozilla-release+
dmeehan
: approval-mozilla-esr128+
Details | Review

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0

Steps to reproduce:

Regression in v128 compared to v127.0.2.

We have a local intranet portal that requires Windows authentication.
Its domain name is added to Firefox's network.automatic-ntlm-auth.trusted-uris so that Firefox sends the NTML credentials automatically.
That works.

Some pages on that portal include a javascript line location.refresh(true); to force a refresh on a timer. That has stopped working in 128 as compared to 127.0.2.

Actual results:

Starting from Firefox 128, executing location.refresh(true); results in a user prompt for credentials. Failure to provide them results in HTTP 401.

This was not the case in versions 127.0.2 and older.

Verified by rolling back to 127.0.2 and not observing this behaviour there.

Expected results:

location.refresh(true); should silently succeed.

Err:

location.reload(true), like in the title, not location.refresh(true) like in the report text. Sorry.

The Bugbug bot thinks this bug should belong to the 'Core::Networking' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → Networking
Product: Firefox → Core

Hello gserg.g,
Thank you for reporting the issue promptly.
Could you please share the http logs for the issue?
We had made recent changes to our auth behavior.
Could you please confirm if the issue no longer exists once you change the pref network.auth.use_redirect_for_retries to false

Flags: needinfo?(gserg.g)

Keeping this in priority review queue until we get the logs from the reporter.

Whiteboard: [necko-triaged][necko-priority-review]

HTTP logs requested

(In reply to Sunil Mayya from comment #3)

Could you please share the http logs for the issue?

Please find attached.

Could you please confirm if the issue no longer exists once you change the pref network.auth.use_redirect_for_retries to false

I can confirm. That fixes it.

Flags: needinfo?(gserg.g)
Whiteboard: [necko-triaged][necko-priority-review] → [necko-triaged][necko-priority-queue]
Severity: -- → S2
Priority: -- → P1

We are going to disable this pref and release it soon.

Assignee: nobody → smayya
Keywords: regression
Regressed by: 1896350
Pushed by smayya@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/92302f29e4e1 disable network.auth.use_redirect_for_retries for release. r=necko-reviewers,kershaw

https://hg.mozilla.org/mozilla-central/rev/92302f29e4e1

Status: UNCONFIRMED → RESOLVED
Closed: 4 months ago
status-firefox130: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 130 Branch

Set release status flags based on info from the regressing bug 1896350

status-firefox128: --- → affected
status-firefox129: --- → affected
status-firefox-esr115: --- → unaffected
status-firefox-esr128: --- → affected

The patch landed in nightly and beta is affected.
:smayya, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox129 to wontfix.

For more information, please visit BugBot documentation.

Flags: needinfo?(smayya)

[Tracking Requested - why for this release]:
We should fix this in 128

tracking-firefox128: --- → ?
tracking-firefox-esr128: --- → ?
Flags: needinfo?(smayya)
tracking-firefox128: ? → ---
tracking-firefox-esr128: ? → ---

Comment on attachment 9413267 [details]
Bug 1908115 - disable network.auth.use_redirect_for_retries for release. r=#necko

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: This affect users using NTLM authentication.
  • User impact if declined: Authentication will fail.
  • Fix Landed on Version: 130
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): This pref restores firefox's old behavior for authentication which has been deployed for users for a long time.
Attachment #9413267 - Flags: approval-mozilla-esr128?

Sunil, your ESR uplift request mentions the fix landed in Fx129 but the patch landed in central for Fx130?

You mention in Comment 13 that this should be fixed in Fx128.
Could you add both a beta and a release uplift request?
We could include this in beta for Fx129 and the scheduled dot release for Fx128

Flags: needinfo?(smayya)

Comment on attachment 9413267 [details]
Bug 1908115 - disable network.auth.use_redirect_for_retries for release. r=#necko

Beta/Release Uplift Approval Request

  • User impact if declined: NTLM auth might fail
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): The patch restores old stable auth behavior of firefox before 128
  • String changes made/needed:
  • Is Android affected?: Yes
Flags: needinfo?(smayya)
Attachment #9413267 - Flags: approval-mozilla-release?

Comment on attachment 9413267 [details]
Bug 1908115 - disable network.auth.use_redirect_for_retries for release. r=#necko

Beta/Release Uplift Approval Request

  • User impact if declined: NTLM auth might fail
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): The patch restores old stable auth behavior of firefox before 128
  • String changes made/needed:
  • Is Android affected?: Yes
Attachment #9413267 - Flags: approval-mozilla-beta?

Thanks Donal for correcting!
I have updated the request to include the fix in beta. The fix must go for dot release for 128 and beta for 129.

Comment on attachment 9413267 [details]
Bug 1908115 - disable network.auth.use_redirect_for_retries for release. r=#necko

Approved for 129.0b7

Attachment #9413267 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

Comment on attachment 9413267 [details]
Bug 1908115 - disable network.auth.use_redirect_for_retries for release. r=#necko

Approved for 128.1esr.

Attachment #9413267 - Flags: approval-mozilla-esr128? → approval-mozilla-esr128+

Comment on attachment 9413267 [details]
Bug 1908115 - disable network.auth.use_redirect_for_retries for release. r=#necko

Approved for 128.0.2.

Attachment #9413267 - Flags: approval-mozilla-release? → approval-mozilla-release+

Added to the 128.0.2 relnotes:

Fixed an issue causing NTLM authentication failure.

relnote-firefox: --- → 128+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: