RFP: chat.qwen.ai returns '500: Internal Error' due to WebGLRenderInfo
Categories
(Core :: DOM: Security, defect)
Tracking
()
People
(Reporter: thorin, Assigned: fkilic)
References
(Blocks 1 open bug)
Details
Attachments
(2 files)
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
48 bytes,
text/x-phabricator-request
|
phab-bot
:
approval-mozilla-beta+
|
Details | Review |
STR (I used nightly 140: ETP on strict FWIW)
- enable RFP
- load https://chat.qwen.ai/
- expected: chat loads
- actual: blank page with 500: Internal Error
- disable RFP, reload ... success
It's not canvas, so will require some RFPTarget analysis cc fkilic pierov
Feel free to move from Core>Dom: Security
|
Reporter | |
Updated•5 months ago
|
|
||
Comment 1•5 months ago
|
||
Wow, this is a new one. It's WebGLRenderInfo.
I don't know exactly why, but somewhere after a call to https://chat.qwen.ai/api/config (seen in both the Network tab and the Console debug output) - which has the same result with or without WebGLRenderInfo - something goes wrong, and a subsequent call to https://chat.qwen.ai/api/models will not be made and you'll get the 500. There is detect Firefox false in the console log but that appears with and without WebGLRenderInfo.
WebGLRenderInfo blocks WEBGL_debug_renderer_info and WEBGL_debug_shaders as well as sanitizing the non-unmasked Renderer string to just "Mozilla".
|
|
||
Updated•5 months ago
|
|
Assignee | |
Comment 2•5 months ago
•
|
||
Disabling webgl.enable-debug-renderer-info also returns 500, suggesting it is the debug renderer info blocking. Searching for UNMASKED_RENDERER_WEBGL in qwen's source also brings up some stuff.
|
|
Assignee | |
Comment 3•5 months ago
|
||
We can probably remove blocking WEBGL_debug_renderer_info because we return the same value for renderer and unmasked renderer. We do, however, return the actual vendor for unmasked vendor. So what we can do is, remove the extension blocking, and return "Mozilla" for unmasked vendor (just like how the normal vendor parameter)
|
|
Assignee | |
Comment 4•5 months ago
|
||
WEBGL_debug_renderer_info enables access to two parameters. UNMASKED_VENDOR_WEBGL and UNMASKED_RENDERER_WEBGL. We return the same value for WEBGL_debug_renderer_info.UNMASKED_RENDERER_WEBGL and gl.RENDERER, so we already expose the (sanitized) renderer. The only thing we are blocking is UNMASKED_VENDOR_WEBGL. I suggest that we enable the extension and spoof vendor instead.
|
||
Updated•5 months ago
|
|
||
Comment 6•4 months ago
|
||
| bugherder | ||
|
|
Assignee | |
Comment 7•4 months ago
|
||
Original Revision: https://phabricator.services.mozilla.com/D249777
|
|
||
Updated•4 months ago
|
|
|
||
Comment 8•4 months ago
|
||
firefox-beta Uplift Approval Request
- User impact if declined: Possibly higher web compat errors
- Code covered by automated testing: yes
- Fix verified in Nightly: yes
- Needs manual QE test: no
- Steps to reproduce for manual QE testing: Enable RFP, visit chat.qwen.ai, check that there's no "500: Internal Error" message
- Risk associated with taking this patch: Only for RFP users: breakage on chat.qwen.ai
- Explanation of risk level: WebCompat issue for RFP users.
- String changes made/needed: no
- Is Android affected?: yes
|
|
||
Comment 9•4 months ago
|
||
I would add that we wouldn't normally try to uplift RFP-only things, but we just missed the 140-ESR window so we're hoping to get a few things in to reduce Tor's patchload. "We would prefer not" is always acceptable :)
|
|
||
Updated•4 months ago
|
|
||
Updated•4 months ago
|
|
||
Comment 10•4 months ago
|
||
| uplift | ||
|
|
Reporter | |
Comment 11•4 months ago
|
||
archaeology: Bug 1337157: FF60+ privacy.resistFingerprinting should disable WEBGL_debug_renderer_info
Description
•