Closed Bug 398446 Opened 17 years ago Closed 17 years ago

Can't log in to chase.com account

Categories

(Core Graveyard :: Plug-ins, defect)

Product:
Core Graveyard
Component:
Plug-ins
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
VERIFIED FIXED
Milestone:
mozilla1.9beta1

People

(Reporter: samuel.sidler+old, Assigned: jst)

References

(
URL
)

Details

(4 keywords)

Attachments

(2 files)

Fix.
3.55 KB, patch
mrbkap
: review+
mrbkap
: superreview+
Details | Diff | Splinter Review
Patch that was checked in on the trunk.
3.34 KB, patch
Details | Diff | Splinter Review 
STR:
  1. Go to chase.com
  2. Enter username and password
  3. Press the "Log On" graphic

Nothing happens.

When first going to the page, I get the following warning in the error console:

Warning: Expected ':' but found 'undefined'.  Declaration dropped.
Source File: http://chaseonline.chase.com/login.html
Line: 0

When pushing the Log On graphic the first time (but not subsequent times), I get the following error in the error console:

Error: uncaught exception: [Exception... "Access to property denied"  code: "1010" nsresult: "0x805303f2 (NS_ERROR_DOM_PROP_ACCESS_DENIED)"  location: "<unknown>"]

Requesting blocking since Chase is a major US bank.
Flags: blocking1.9?
Could use a regression range...
Keywords: qawanted
Boris' patch for bug 388597 and mrbkap's xpconnect changes look like the most likely to have caused this kind of error, I guess.

Could use a testcase, too... :)
Keywords: qawanted
OS: Mac OS X → All
I'm having trouble generating a testcase since saving the page, saved as HTML complete, doesn't have the issue. I'll try and work up a testcase early next week but if someone else wants to take a stab, that'd be great.

Is there a better component I can put this in that has more of a chance of getting looked at even without a testcase?
Assignee: nobody → dveditz
Component: General → Security
QA Contact: general → toolkit
Target Milestone: --- → mozilla1.9 M9
Trunk build seems to work OK for me on that site. I don't have a real login, but with a fake login I don't get "nothing" (either the password hint screen or redirects to the secure login for another attempt, apparently depending on whether I've used a user name that really exists). Same behavior on FF2.0.0.9

Did they change the site? If not, what am I doing differently?
-> Sam to get a reproducible testcase
Assignee: dveditz → samuel.sidler
STR:
  1. Go to www.chase.com (not chaseonline.chase.com or any other site).
  2. Enter 'asdf' as the User ID.
  3. Enter 'asdf' as the Password.
  4. Press the green "Log On" button.

With a clean profile in both browsers, using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9a9pre) Gecko/2007110204 Minefield/3.0a9pre nothing happens, but an error appears in the console but using Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.8) Gecko/2007100816 Firefox/2.0.0.8 I get redirected to https://chaseonline.chase.com/colappmgr/colportal/prospect?_nfpb=true&_pageLabel=page_logonform

Dan, are you not seeing that?
Checked with a couple others from QA. This has been reproduced by them as well. Reassigning.
Assignee: samuel.sidler → dveditz
Summary: Can't login to chase.com account → Can't log in to chase.com account
(In reply to comment #2)
> Sorry about that, I didn't have time to get one before. This broke on Mac
> builds (at least) between 2007-08-07-04 and 2007-08-08-04.

I can confirm that regression range for Linux builds as well.

HOWEVER, here's an interesting twist -- using my own (old-ish) personal Firefox profile, all the broken builds I've tried **do work**.  Latest-trunk even works, using my profile.  (but not using a fresh profile)

I've tried but haven't been able to construct a "working" profile like my own from scratch, though.  In particular, I tried logging on to Chase with a fresh profile in (working) 8-07 build, and then reused that profile in latest-trunk, but it didn't work.  I repeated this starting with FF2, but latest-trunk didn't like that profile either.
Moving to blocking since this is an incompat with major site...
Flags: blocking1.9? → blocking1.9+
Error: uncaught exception: [Exception... "Access to property denied"  code: "1010" nsresult: "0x805303f2 (NS_ERROR_DOM_PROP_ACCESS_DENIED)"  location: "<unknown>"]

something in the onsubmit is failing, haven't had time to dig into this yet though...
(In reply to comment #13)
> Error: uncaught exception: [Exception... "Access to property denied"  code:
> "1010" nsresult: "0x805303f2 (NS_ERROR_DOM_PROP_ACCESS_DENIED)"  location:
> "<unknown>"]
> 
> something in the onsubmit is failing, haven't had time to dig into this yet
> though...

Reported in comment 0...


Note that if you look at the URL the <form> uses to POST to (https://chaseonline.chase.com/siteminderagent/forms/formpost.fcc), you'll see where it redirects to another login site (https://chaseonline.chase.com/online/logon/sso_logon.jsp). If you try to enter fake info on that login box, the form is submitted, and it tells you your info is invalid.
(In reply to comment #15)
Yeah this bug is exclusively about http://www.chase.com/ .  If you go directly to https://chaseonline.chase.com/ and enter bogus creds it works fine.  Btw, neither site yields an error upon submitting bogus creds with js off.  (that's TE territory though)

This prolly covers a lot of XSS territory.  There's one page with an iframe that has a source on a different subdomain of the same registered (one label down from etld) domain.  Both URLs set document.domain to that registered domain name.  The parent has 1 relevant form and the iframe has 2.  The parent form has an onsubmit handler which ends up setting form values on the first iframe form and then canceling submit (returns false).  The first iframe form in turn has no handlers but it's action is a javascript: url calling a function previously defined.  The predefined js function in the action then grabs form 1's values to use for form 2.  form 2 is defined in html with action="#" but then action is set to a complete URL by form 1's action URL function.  (the new action is a sub domain of the document.domain set already for both parent and iframe).  The form 1 action func then calls form 2's submit().  fwiw it appears the iframe embeds some flash with a param allowScriptAccess="sameDomain" and I've no idea what that flash might do.

Will try to do a semi minimized TC or 2 tomorrow or tuesday.  Feel free to poke me on IRC if you want to know more about how the site works (I've found a few more TE issues too :-/)
Oh, btw, fx2009 uses quirks mode for parent and iframe.
FWIW I noted just now that when using the url:
https://chaseonline.chase.com/online/logon/sso_logon.jsp

I see this in the error console: (using Console2 extension)
Warning: Use of captureEvents() is deprecated, see bug 330494.
Source file: https://chaseonline.chase.com/online/logon/sso_logon.jsp

I only have to go to the URL, nothing is entered, only the page load to trigger the error message. 

Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9a9pre) Gecko/2007110503 Minefield/3.0a9pre Firefox/3.0 ID:2007110503


(In reply to comment #18)
> FWIW I noted just now that when using the url:
> https://chaseonline.chase.com/online/logon/sso_logon.jsp
Thanks, but that's not related.  Again this bug exclusively deals with http://www.chase.com and the iframe it includes.
So is the deal that a user can't log in on chase.com but can log in at chaseonline.chase.com? If that's the case, I'd almost be willing to relnote this and not have it block beta anymore.
Boris, can you please take a look at this?  See Comment #3. 
(In reply to comment #20)
> So is the deal that a user can't log in on chase.com but can log in at
> chaseonline.chase.com?
Exactly.
I'm working on a minimal TC based on the results from save as complete but here's some code I was using last night.  (there was a request for an update here) It produces the same dom exception with the local copy that only references remote pages for ads and the live site.  It happens that executing the bookmarklet twice in a row will submit the page for the live site and will produce a new and different error for the local version.

btw, I'd love to know how to break on a dom exception. (preferably gdb)

javascript:
log = {
    c: function (s) { dump(s + "\n"); },
    e: function (s) { eval(s); log.c(s + ";"); },
    d: function(s) { dump(s + " is " + uneval(eval(s)) + "\n"); }
};
log.c("XXX start dump");
log.targets = ["document.domain", "_cookieDomain.length", "_cookieDomain", "_cookieDomain.substring(1, _cookieDomain.length)"];
log.dumpTargets = function () { with(log) { for(i in targets) { d(targets[i]); } } };
document.logonform.usr_name.value = "foo";
document.logonform.usr_password.value = "bar";
with(log) {
    dumpTargets();
    if(/^http:\/\/www.chase.com\//.test(location.href)) {
        e("_cookieDomain = '.chase.com'");
        dumpTargets();
        e("document.domain = _cookieDomain.substring(1, _cookieDomain.length)");
        dumpTargets();
    }
    d("validateAndSubmitFrame()");
    dumpTargets();
    c("XXX end dump");
}
void 0;

a bookmarklet for that is:

javascript:log = {c: function (s) { dump(s + "\n"); },e: function (s) { eval(s); log.c(s + ";"); },d: function(s) { dump(s + " is " + uneval(eval(s)) + "\n"); }};log.c("XXX start dump");log.targets = ["document.domain", "_cookieDomain.length", "_cookieDomain", "_cookieDomain.substring(1, _cookieDomain.length)"];log.dumpTargets = function () { with(log) { for(i in targets) { d(targets[i]); } } };document.logonform.usr_name.value = "foo";document.logonform.usr_password.value = "bar";with(log) {dumpTargets();if(/^http:\/\/www.chase.com\//.test(location.href)) {e("_cookieDomain = '.chase.com'");dumpTargets();e("document.domain = _cookieDomain.substring(1, _cookieDomain.length)");dumpTargets();}d("validateAndSubmitFrame()");dumpTargets();c("XXX end dump");}void 0;
(In reply to comment #23)
> It happens that executing the bookmarklet twice in a row will submit the
> page for the live site and will produce a new and different error for the
> local version.

Where "will submit the page" means I actually get the same bogus creds error page that I get in Fx2009.
> btw, I'd love to know how to break on a dom exception. (preferably gdb)

With a bit of pain.  You can breakpoint on JS_SetPendingException, which will get you any time an exception is thrown... including all the ones that actually end up caught.  Depending on the testcase, there could be a lot of noise.

In this case, it looks like we throw NS_ERROR_DOM_PROP_ACCESS_DENIED with this stack:

#0  JS_SetPendingException (cx=0x2f42e9a0, v=791794336) at ../../../mozilla/js/src/jsapi.c:5406
#1  0x1383935b in XPCThrower::ThrowExceptionObject (cx=0x2f42e9a0, e=0x3a6aaf60) at ../../../../../mozilla/js/src/xpconnect/src/xpcthrower.cpp:296
#2  0x13839501 in XPCThrower::BuildAndThrowException (cx=0x2f42e9a0, rv=2152924146, sz=0x13867724 "") at ../../../../../mozilla/js/src/xpconnect/src/xpcthrower.cpp:255
#3  0x13839659 in XPCThrower::Throw (rv=2152924146, cx=0x2f42e9a0) at ../../../../../mozilla/js/src/xpconnect/src/xpcthrower.cpp:56
#4  0x1385b296 in ThrowException (ex=2152924146, cx=0x2f42e9a0) at ../../../../../mozilla/js/src/xpconnect/src/XPCCrossOriginWrapper.cpp:137
#5  0x1385de69 in XPC_XOW_AddProperty (cx=0x2f42e9a0, obj=0x2f31d240, id=1036860, vp=0xbfffc80c) at ../../../../../mozilla/js/src/xpconnect/src/XPCCrossOriginWrapper.cpp:543
#6  0x0028e972 in js_DefineNativeProperty (cx=0x2f42e9a0, obj=0x2f31d240, id=1036860, value=791794272, getter=0x1385db02 <XPC_XOW_GetProperty(JSContext*, JSObject*, long, long*)>, setter=0x1385dade <XPC_XOW_SetProperty(JSContext*, JSObject*, long, long*)>, attrs=0, flags=0, shortid=0, propp=0x0) at ../../../mozilla/js/src/jsobj.c:3181
#7  0x0028e517 in js_DefineProperty (cx=0x2f42e9a0, obj=0x2f31d240, id=1036860, value=791794272, getter=0, setter=0, attrs=0, propp=0x0) at ../../../mozilla/js/src/jsobj.c:3067
#8  0x0025755a in js_DefineFunction (cx=0x2f42e9a0, obj=0x2f31d240, atom=0xfd23c, native=0x1385cece <XPC_XOW_toString(JSContext*, JSObject*, unsigned int, long*, long*)>, nargs=0, attrs=0) at ../../../mozilla/js/src/jsfun.c:2204
#9  0x0021c368 in JS_DefineFunction (cx=0x2f42e9a0, obj=0x2f31d240, name=0x1386bcac "toString", call=0x1385cece <XPC_XOW_toString(JSContext*, JSObject*, unsigned int, long*, long*)>, nargs=0, attrs=0) at ../../../mozilla/js/src/jsapi.c:4305
#10 0x1385d21e in XPC_XOW_NewResolve (cx=0x2f42e9a0, obj=0x2f31d240, id=1036860, flags=0, objp=0xbfffc988) at ../../../../../mozilla/js/src/xpconnect/src/XPCCrossOriginWrapper.cpp:728
#11 0x0028f0fa in js_LookupPropertyWithFlags (cx=0x2f42e9a0, obj=0x2f31d240, id=1036860, flags=0, objp=0xbfffca48, propp=0xbfffca44) at ../../../mozilla/js/src/jsobj.c:3364
#12 0x0028ed0d in js_LookupProperty (cx=0x2f42e9a0, obj=0x2f31d240, id=1036860, objp=0xbfffca48, propp=0xbfffca44) at ../../../mozilla/js/src/jsobj.c:3268
#13 0x002903f1 in js_GetProperty (cx=0x2f42e9a0, obj=0x2f31d240, id=1036860, vp=0xbfffcb84) at ../../../mozilla/js/src/jsobj.c:3630
#14 0x00219e0c in JS_GetUCProperty (cx=0x2f42e9a0, obj=0x2f31d240, name=0x2c22930, namelen=8, vp=0xbfffcb84) at ../../../mozilla/js/src/jsapi.c:3533
#15 0x3a729b77 in GetProperty (cx=0x2f42e9a0, obj=0x2f31d240, identifier=0xfd23c, rval=0xbfffcb84) at ../../../../../mozilla/modules/plugin/base/src/nsJSNPRuntime.cpp:510
#16 0x3a72b09f in doInvoke (npobj=0x39f7a890, method=0xfd23c, args=0x0, argCount=0, ctorCall=0, result=0xbfffcc94) at ../../../../../mozilla/modules/plugin/base/src/nsJSNPRuntime.cpp:575
#17 0x3a72b3b5 in nsJSObjWrapper::NP_Invoke (npobj=0x39f7a890, method=0xfd23c, args=0x0, argCount=0, result=0xbfffcc94) at ../../../../../mozilla/modules/plugin/base/src/nsJSNPRuntime.cpp:648
#18 0x3a70787f in _invoke (npp=0x3b1bbbec, npobj=0x39f7a890, method=0xfd23c, args=0x0, argCount=0, result=0xbfffcc94) at ../../../../../mozilla/modules/plugin/base/src/ns4xPlugin.cpp:1592
#19 0x3b590f69 in dyld_stub__ZN25nsDefaultStringComparatorC1Ev ()
#20 0x3b5943ac in NP_Initialize ()
#21 0x3b595506 in NP_Initialize ()
#22 0x3b5987ea in Flash_EnforceLocalSecurity ()
#23 0x3a70e87f in ns4xPluginInstance::InitializePlugin (this=0x3b1bbbd0, peer=0x3b11a9b0) at ../../../../../mozilla/modules/plugin/base/src/ns4xPluginInstance.cpp:1055
#24 0x3a70e9e8 in ns4xPluginInstance::Initialize (this=0x3b1bbbd0, peer=0x3b11a9b0) at ../../../../../mozilla/modules/plugin/base/src/ns4xPluginInstance.cpp:839
#25 0x3a720787 in nsPluginHostImpl::TrySetUpPluginInstance (this=0x3a66e4e0, aMimeType=0x39fdf5d8 "application/x-shockwave-flash", aURL=0x2c27020, aOwner=0x3b1c7c60) at ../../../../../mozilla/modules/plugin/base/src/nsPluginHostImpl.cpp:4061
#26 0x3a718a6f in nsPluginHostImpl::SetUpPluginInstance (this=0x3a66e4e0, aMimeType=0x39fdf5d8 "application/x-shockwave-flash", aURL=0x2c27020, aOwner=0x3b1c7c60) at ../../../../../mozilla/modules/plugin/base/src/nsPluginHostImpl.cpp:3880
#27 0x3a71fd10 in nsPluginHostImpl::InstantiateEmbeddedPlugin (this=0x3a66e4e0, aMimeType=0x39fdf5d8 "application/x-shockwave-flash", aURL=0x2c27020, aOwner=0x3b1c7c60) at ../../../../../mozilla/modules/plugin/base/src/nsPluginHostImpl.cpp:3553
#28 0x1bbbbf59 in nsObjectFrame::InstantiatePlugin (this=0x3710c88, aPluginHost=0x3a66e4e4, aMimeType=0x39fdf5d8 "application/x-shockwave-flash", aURI=0x2c27020) at ../../../mozilla/layout/generic/nsObjectFrame.cpp:794
#29 0x1bbc0a4b in nsObjectFrame::Instantiate (this=0x3710c88, aMimeType=0x39fdf5d8 "application/x-shockwave-flash", aURI=0x2c27020) at ../../../mozilla/layout/generic/nsObjectFrame.cpp:1461
#30 0x1bd8267b in nsObjectLoadingContent::Instantiate (this=0x2f41945c, aFrame=0x3710cb4, aMIMEType=@0x3a6994d4, aURI=0x2c27020) at ../../../../mozilla/content/base/src/nsObjectLoadingContent.cpp:1548
#31 0x1bd82cbb in nsAsyncInstantiateEvent::Run (this=0x3a6994c0) at ../../../../mozilla/content/base/src/nsObjectLoadingContent.cpp:145

But we don't report it at that point!

So the JSContext has a pending exception sitting on it... until the next time script runs on that JSContext.  At that point, we think that the script is throwing, and things break.

Blake, it looks like XOW is throwing; not sure whether it should.  The plug-in code here is certainly buggy in that it should report the exception; not sure from where.

Also not sure which of the XOW changes regressed this, yet.
Oh, and the reason we end up throwing is that in IsWrapperSameOrigin we have:

(gdb) p subjectPrin.mRawPtr->mDomain.mRawPtr->mSpec.mData
$10 = 0x3a6cf8d8 "http://chase.com/login.html"
(gdb) p subjectPrin.mRawPtr->mCodebase.mRawPtr->mSpec.mData
$11 = 0x39f79238 "http://chaseonline.chase.com/login.html"
(gdb) p objectPrin.mRawPtr->mDomain
$12 = {
  mRawPtr = 0x0
}
(gdb) p objectPrin.mRawPtr->mCodebase.mRawPtr->mSpec.mData
$14 = 0x3a63f998 "http://www.chase.com/"

(so this code is executing before the .domain set somewhere, or something?).

The object we're looking at is:

(gdb) p *JS_GetClass(cx, wrappedObj)
$16 = {
  name = 0x39cbdec0 "Location", 

How close are we to understanding and fixing this bug?  This is the last bug holding up the beta.   I'm of the opinion we just need to get this beta out the door, even if we don't fix this one in time.  Anyone object?
Keywords: ecommerce
> How close are we to understanding and fixing this bug? 

I think we understand it.  The issue is that NP_Invoke can cause pending exceptions to be set on the JSContext and never processed.  If the intent is that we can get into this code during JS execution (and shouldn't process the pending exception in that case), then we need to process it further up the stack.  Perhaps in ns4xPluginInstance::InitializePlugin or something?  Really just depends on what the NPAPI contract here is.  Hopefully jst knows...
Keywords: ecommerce
Keywords: ecommerce
Keywords: top100
Attached patch Fix.Splinter Review 
This fixes this bug by making us save JS exception state across NPRuntime API invocations from a plugin, and makes us report any JS exceptions that were thrown during the NPRuntime API call before we return from the API call. We don't necessarily need the exception state saving part of this, but it seems safer to do that to avoid loosing exceptions or possibly reporting exceptions too early.

There's been some initial discussion about adding an API for plugins to get JS exception info as well, and once that exists this code should be tweaked to deal with that, but for now we'll just report the exceptions (alternatively we could just clear pending exceptions w/o reporting them, but I don't think that's desired).
Attachment #287510 - Flags: superreview?(bzbarsky)
Attachment #287510 - Flags: review?(bzbarsky)
Assignee: dveditz → jst
Component: Security → Plug-ins
QA Contact: toolkit → plugins
Damon, I'm fine with shipping beta with or w/o this, but if there's still time it's IMO worth considering the attached patch for beta...
Status: NEW → ASSIGNED
Component: Plug-ins → Security
Component: Security → Plug-ins
Please try to get this patch into this beta.  Chase.com ranks 701 on the alexa top sites, so it drives a lot of traffic.   Not being able to login will cause a very bad user experience to our beta users.  This is a critical issue that QA wants fixed.  Thanks.
(#69 among US sites.)
Ok.  Lets get this reviewed and in, ASAP.
Comment on attachment 287510 [details] [diff] [review]
Fix.

I don't think we need to save and restore the exception state, to quote from my out-loud meandering on IRC:

09:33 <mrbkap> If there's a pending exception already, it means that some 
               script in the window that the plugin is in has thrown and the 
               exception hasn't been handled yet.
09:34 <mrbkap> JS is run to completion and we have to be carefult o 
               JS_ReportPendingException at all entry points.

r+sr=mrbkap with that.
Attachment #287510 - Flags: superreview?(bzbarsky)
Attachment #287510 - Flags: superreview+
Attachment #287510 - Flags: review?(bzbarsky)
Attachment #287510 - Flags: review+
Fix checked in, marking FIXED.
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
For what it's worth, patch that landed looks good to me too.
Just checked with the latest hourly, and I can now login just fine.  Thanks guys.

Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9a9pre) Gecko/2007110610 Minefield/3.0a9pre Firefox/3.0 ID:2007110610 (latest hourly)
I can verify this as well. Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9a9pre) Gecko/2007110610 Minefield/3.0a9pre

Marking VERIFIED.
Status: RESOLVED → VERIFIED
Righteous work here guys!  Zero beta blockers.

Shields up!  Arm the torpedoes!
Depends on: 403079
It looks like this caused bug 403079.
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: