Website keeps reloading itself
Categories
(Core :: Networking: Cookies, defect, P2)
Tracking
()
People
(Reporter: sefeng211, Assigned: valentin)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: regression, Whiteboard: [necko-triaged][necko-priority-queue])
Attachments
(1 file)
|
48 bytes,
text/x-phabricator-request
|
Details |
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:149.0) Gecko/20100101 Firefox/149.0
Steps to reproduce:
For me, I can reproduce it in MacOS, but I can't repro it on Linux
Actual results:
The page kept reloading itself
Expected results:
The page should've loaded correctly
|
Reporter | |
Comment 1•3 months ago
|
||
Here's a profile: https://share.firefox.dev/4tuoBiD
UA: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:149.0) Gecko/20100101 Firefox/149.0
|
||
Comment 2•3 months ago
•
|
||
Hmm, I get an error "You must have cookies enabled in order to sign in to your PeopleSoft application." with that page.
Does one need to log in to that site?
Does it help if you clear all the cookies for that site? (If so, this would be a Necko bug)
|
|
Reporter | |
Comment 3•3 months ago
|
||
Try clicking that Signin to PeopleSoft button and then open the link in a new tab Olli. That site indeed behaves a bit weird..
|
|
||
Comment 4•3 months ago
|
||
Oh, now it does something else. It keeps running DoBack()
|
|
||
Comment 5•3 months ago
|
||
It does have something to do with cookies. Once it reproduced, I cleared cookies for the site and then it worked again.
|
Assignee | |
Comment 6•3 months ago
|
||
|
|
Assignee | |
Comment 7•3 months ago
|
||
The reload is coming from
https://pslinks.fiu.edu/cs/jobs/cache/PT_SAVEWARNINGSCRIPT_MIN_1.js
function UpdateDeviceCookie()
{
var dfCookieVal = getCookie("PS_DEVICEFEATURES"); if (dfCookieVal.trim() == "new:1") {
var df = new ptDeviceFeatures(); df.init(); if (isFModeLayout())
top.window.document.location.reload(); }
}
From what I can tell, loading the page returns this header:
nsHttpTransaction::ParseLine [Set-Cookie: PS_DEVICEFEATURES=new:1; domain=.fiu.edu; path=/; Samesite =Strict; secure]
Then the page runs UpdateDeviceCookie, which sets the cookie to:
PS_DEVICEFEATURES:"width:1920 height:1080 pixelratio:2 touch:0 geolocation:1 websockets:1 webworkers:1 datepicker:1 dtpicker:1 timepicker:1 dnd:1 sessionstorage:1 localstorage:1 history:1 canvas:1 svg:1 postmessage:1 hc:0 maf:0"
and reloads the page (probably expecting the cookie will be sent on the next reload of the page).
It's possible the reload is cancelling the page, and the cookie message doesn't reach the parent process before the reload actually happens, so the new cookie doesn't get sent.
|
||
Updated•3 months ago
|
|
|
Assignee | |
Updated•3 months ago
|
| Comment hidden (obsolete) |
|
|
Assignee | |
Comment 9•2 months ago
|
||
|
||
Comment 10•2 months ago
|
||
Set release status flags based on info from the regressing bug 1630865
|
|
Assignee | |
Comment 11•2 months ago
|
||
Actually, I've rechecked, and we don't actually race. The IPC message is processed before the channel is opened 😅
But the issue is caused by the following block:
if (aHttpBound && aIsSameSiteForeign) {
bool blockCookie = !ProcessSameSiteCookieForForeignRequest(
aChannel, cookie, aIsSafeTopLevelNav, aHadCrossSiteRedirects,
laxByDefault);
if (blockCookie) {
if (aHadCrossSiteRedirects) {
CookieLogging::LogMessageToConsole(
crc, aHostURI, nsIScriptError::warningFlag,
CONSOLE_REJECTION_CATEGORY, "CookieBlockedCrossSiteRedirect"_ns,
AutoTArray<nsString, 1>{
NS_ConvertUTF8toUTF16(cookie->Name()),
});
}
continue;
}
}
That's why the STR in comment 6 work.
(In reply to Valentin Gosu [:valentin] (he/him) from comment #6)
- click the link in comment 0 again -> loop.
If instead of loading the page via link from bugzilla, I just open a new tab and paste in the link, the page opens with no problem.
I'm not sure how it regressed in bug 1630865, but I'm looking into it.
|
|
Assignee | |
Comment 12•2 months ago
|
||
Actually, most likely caused by bug 1627653 - that involves same site changes.
|
|
||
Comment 13•2 months ago
|
||
Set release status flags based on info from the regressing bug 1627653
|
||
Updated•2 months ago
|
|
||
Updated•2 months ago
|
|
|
||
Comment 14•2 months ago
|
||
Set release status flags based on info from the regressing bug 1627653
|
|
Assignee | |
Comment 15•2 months ago
|
||
|
|
Assignee | |
Comment 16•2 months ago
|
||
The test reproduces this scenario:
- Cross-site navigation: A page on not-web-platform.test navigates to web-platform.test (which has a SameSite=Strict cookie)
- Initial load: SameSite=Strict cookie is correctly NOT sent (cross-site navigation)
- Reload: The page calls location.reload()
- Bug: SameSite=Strict cookie is still NOT sent on the reload, but it should be sent because a reload is a same-site navigation (the document is reloading itself)
The underlying issue in IsSameSiteForeign():
- For the reload, triggeringPrincipal is still not-web-platform.test (from the session history entry)
- triggeringPrincipal->IsThirdPartyChannel() returns isForeign=true
- So the reload is incorrectly treated as a cross-site request
|
||
Updated•2 months ago
|
|
|
||
Updated•1 month ago
|
Description
•