402288 - FF3 refuses to follow redirects via pragma refresh

Status: VERIFIED WONTFIX

(Firefox :: Security, defect)

Description

[bill]

I'm testing Minefield and have noticed that several websites (both intranet and internet) are trying to do redirects via an HTML refresh, which FF3 blocks.

Sample HTML used:
<html>
<head>
<meta http-equiv="Refresh" content="0;url=http://www.godaddy.com">
</head>
</html>

This results in a pop-up that asks the user if they'd like to allow this redirect. the page will not load unless they click "allow". I can't find any preference or UI to make this preference "sticky" globally or on a per-site basis.

I realize that the W3C recommends against this practice (http://www.w3.org/TR/WCAG10-HTML-TECHS/#meta-element), but it's widely used. It's also an "easy" way to get a redirection to happen if you are in control of the content but not the web server configuration.

I've found several sites that are hobbled with this feature in FF3:
{internal websites, which we need to fix}
http://godaddy.com

Comment 1

[Daniel Veditz [:dveditz]]

Got a better example? I get a 302 response from http://godaddy.com not an in-content <meta> refresh. And the following data: uri seems to refresh just fine when pasted into some non-godaddy window.

data:text/html,<html><head><meta%20http-equiv="Refresh"%20content="0;url=http://www.godaddy.com"></head></html>

Why filed as a "security" bug?

Comment 2

[Daniel Veditz [:dveditz]]

Do you have the "accessibility.blockautorefresh" pref set to true?

Check using about:config or the Advanced pref pane.

Comment 3

[bill]

I *swear* I didn't see that option in the advanced prefs pane before in prior minefield builds....but disabling that pref solves the problem.

Comment 4

[Daniel Veditz [:dveditz]]

If you've never seen it how did it get set? The default is to allow meta-refresh
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/browser/app/profile/firefox.js&rev=1.216&mark=569-570#550