423833 - Show Only This Frame code uses about: url for error pages, instead of original site url

Status: VERIFIED FIXED

(Firefox :: Menus, defect, P2)

Description

[Jo Hermans]

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5pre) Gecko/2008031806 Minefield/3.0b5pre

After bug 423247 (Certificate error for iframe is shown as a dialog instead of an error page, making it impossible to add an exception) was checked in, I wanted to check the new behavior on a page that used to suffer from this problem.

The original URL is on the intranet of my company, but it contained a frame at the top for which no valid security certificate was present. Because the error was displayed in a dialog box, you couldn't easily add the certificate to the exceptions list, unless you copied the URL form the dialog box, and manually went to the advanced options.

After bug 423247 was checked in (even though that mentions an iframe in the title, but this was about a frame), the normal error page was show instead of the dialog box. You can check the result here : <http://img301.imageshack.us/my.php?image=screenshotyq5.png>

Since no scrollbars are present (due to the way the frame was build), I couldn't read the 'add an exception link'. So I wanted to be clever, and I selected 'show only this frame' in the context menu. Then I saw the normal error page, as you can see here : <http://img329.imageshack.us/my.php?image=screenshotqb4.png>. Note the URL, which is <about:neterror?e=nssBadCert&u=https%3A//all.alcatel-lucent.com/wps/portal/iframe%3Flu_lang_code%3Den&c=ISO-8859-1&d=all.alcatel-lucent.com%20uses%20an%20invalid%20security%20certificate.%0A%0AThe%20certificate%20is%20not%20trusted%20because%20the%20issuer%20certificate%20is%20not%20trusted.%0A%0A(Error%20code%3A%20sec_error_untrusted_issuer)%0A>.

Then I clicked on the 'Or you can add an exception...' link, but that didn't work. I got into the 'Add Security Exception' dialog box (impossible to take a screendump on a modal dialog, sorry), but clicking on 'Get Certificate' only proceed a 'Attempting to identify the site' warning. The reason is that the URL is the about:neterror URL, and not the one that caused the error.

Maybe should 'Show only this frame' try to show the frame, and not the 'about:neterror' page ? Or the about:neterror page should try to open the dialog box on the original URL ?

Comment 1

[Johnathan Nightingale [:johnath]]

about:neterror should be invisible to users at all times, so this is a bug in the "show only this frame" code, I'd say.

Verifiable by using this URL, which is free of any certificates.

data:text/html,<html><frameset cols="500,500"><frame src="http://google.com"><frame src="http://foo.foo"></frameset></html>

Obviously it's exacerbated in the case where that page has useful things to interact with, though.

The offending code appears to be here: http://mxr.mozilla.org/mozilla/source/browser/base/content/nsContextMenu.js#680

Moving over to Firefox

Comment 2

[Johnathan Nightingale [:johnath]]

Nominating for blocking.  This is a regression from firefox 2 behaviour, apparently from bug 376189.  I don't think it needs beta exposure, so P2 would be fine, but we depend on the error pages more now (ssl errors, malware) so it's likely going to occur more often that users "show only this frame" to get better access to that content.

Comment 3

[Johnathan Nightingale [:johnath]]

Attachment: Change documentURI.spec to location.href

Not tagging for review until I have some tests

Comment 4

[Johnathan Nightingale [:johnath]]

Attachment: Catch other instances

Two more instances of the same issue.

Comment 5

[Boris Zbarsky [:bzbarsky]]

Neil, Seamonkey might need similar changes.

Comment 6

[neil@parkwaycc.co.uk]

Well, we only have ten hits:
tabbrowser.xml: used for a content policy check for about:neterror's favicon
navigator.js: used to determine the page that loaded a favicon
permissions.js: apparently used to determine whether a page is secure
notification.xml: used to generate an absolute URL for the plugin finder
utilityOverlay.js: used to detect about:neterror for security error buttons
The other hits are used to provide a referrer e.g. for saving links.

Comment 7

[Johnathan Nightingale [:johnath]]

Attachment: With tests

Patch looks bigger than it is - only 3 lines changed, the rest is tests.

Comment 8

[Asaf Romano (gone)]

In the tests, you could use the DOMContentLoaded event.

Comment 9

[Asaf Romano (gone)]

Also, openFrame and openFrameInTab should return the newly created tab or window, then you could get rid of the windowwatcher usage. I could see potential use-cases for this outside of the testsuite.

Comment 10

[Johnathan Nightingale [:johnath]]

Attachment: Modify openFrame, openFrameInTab to return, + tests to make sure they return sane things

(In reply to comment #9)
> Also, openFrame and openFrameInTab should return the newly created tab or
> window, then you could get rid of the windowwatcher usage. I could see
> potential use-cases for this outside of the testsuite.

Interesting, and I agree, potentially useful.  I have done this, which obviously also required modifying utilityOverlay to return from the underlying calls (why didn't they?) 

(In reply to comment #8)
> In the tests, you could use the DOMContentLoaded event.

DOMContentLoaded got me into a race situation - re-running the same tests would sometimes get failures where new tab or window was opened with blank instead of the page url or error page.  I have switched setTimeout to setInterval though, as a way to prevent spurious timeout failures.

Comment 11

[Asaf Romano (gone)]

Comment on attachment 312964 [details] [diff] [review]
Modify openFrame, openFrameInTab to return, + tests to make sure they return sane things

ok, r=mano.

Comment 12

[Johnathan Nightingale [:johnath]]

Checking in browser/base/content/nsContextMenu.js;
/cvsroot/mozilla/browser/base/content/nsContextMenu.js,v  <--  nsContextMenu.js
new revision: 1.56; previous revision: 1.55
done
Checking in browser/base/content/utilityOverlay.js;
/cvsroot/mozilla/browser/base/content/utilityOverlay.js,v  <--  utilityOverlay.js
new revision: 1.66; previous revision: 1.65
done
Checking in browser/base/content/test/Makefile.in;
/cvsroot/mozilla/browser/base/content/test/Makefile.in,v  <--  Makefile.in
new revision: 1.10; previous revision: 1.9
done
RCS file: /cvsroot/mozilla/browser/base/content/test/browser_bug423833.js,v
done
Checking in browser/base/content/test/browser_bug423833.js;
/cvsroot/mozilla/browser/base/content/test/browser_bug423833.js,v  <--  browser_bug423833.js
initial revision: 1.1
done

Comment 13

[Johnathan Nightingale [:johnath]]

Backing out due to windows test bustage, though mac worked.  :(

Log: http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1207576833.1207579665.21121.gz#err0

Checking in browser/base/content/nsContextMenu.js;
/cvsroot/mozilla/browser/base/content/nsContextMenu.js,v  <--  nsContextMenu.js
new revision: 1.57; previous revision: 1.56
done
Checking in browser/base/content/utilityOverlay.js;
/cvsroot/mozilla/browser/base/content/utilityOverlay.js,v  <--  utilityOverlay.js
new revision: 1.67; previous revision: 1.66
done
Checking in browser/base/content/test/Makefile.in;
/cvsroot/mozilla/browser/base/content/test/Makefile.in,v  <--  Makefile.in
new revision: 1.11; previous revision: 1.10
done

Comment 14

[Johnathan Nightingale [:johnath]]

Attachment: Better load handling in tests

The old tests anticipated that there would be 2 load events when loading the (2-frame) page, and had a safeguard in place for that, which was enough to pass for me.  But there was a race there, and depending on the order of things, it could happen that the context-menu calls would happen before the error page had loaded.  This would cause the new tab or window to be opened blank, instead of with the error page.

Rather than playing guessing games with the number of loads triggered, this patch just checks the document.location of the error page frame, and doesn't do anything until it it set properly.  Will ask for review once I've done tests on mac (already passed) *and* vista.

Comment 15

[Johnathan Nightingale [:johnath]]

Comment on attachment 314105 [details] [diff] [review]
Better load handling in tests

Gavin has run this against his Vista build and it passed.  Knocking to Mano for review

Comment 16

[Asaf Romano (gone)]

Comment on attachment 314105 [details] [diff] [review]
Better load handling in tests

r=mano

Comment 17

[Johnathan Nightingale [:johnath]]

Thanks Mano.  Marking checkin-needed, because I'm travelling over the next few days, and may not have a contiguous block of time free to land and watch the tree.  If someone gets to this bug before I do, please feel free and accept my appreciation.  :)

Comment 18

[Reed Loden [:reed]]

Checking in browser/base/content/nsContextMenu.js;
/cvsroot/mozilla/browser/base/content/nsContextMenu.js,v  <--  nsContextMenu.js
new revision: 1.58; previous revision: 1.57
done
Checking in browser/base/content/utilityOverlay.js;
/cvsroot/mozilla/browser/base/content/utilityOverlay.js,v  <--  utilityOverlay.js
new revision: 1.68; previous revision: 1.67
done
Checking in browser/base/content/test/Makefile.in;
/cvsroot/mozilla/browser/base/content/test/Makefile.in,v  <--  Makefile.in
new revision: 1.12; previous revision: 1.11
done
Checking in browser/base/content/test/browser_bug423833.js;
/cvsroot/mozilla/browser/base/content/test/browser_bug423833.js,v  <--  browser_bug423833.js
new revision: 1.2; previous revision: 1.1
done

Comment 19

[Daniel Holbert [:dholbert]]

test_bug398289.html is currently failing on Linux, which Bonsai thinks was modified as part of this patch.

* Bonsai page: http://tinyurl.com/4zlc72
* File itself: http://bonsai.mozilla.org//cvsblame.cgi?file=mozilla/content/xul/content/test/test_bug398289.html
* Failure Log: http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1207682613.1207686773.29781.gz

Comment 20

[Daniel Holbert [:dholbert]]

Ah, looks like that part of the checkin was actually part of bug 295994, and was mislabeled.

Comment 21

[Jo Hermans]

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9pre) Gecko/2008040907 Minefield/3.0pre

I verified the fix on the location mentioned in comment 0, but since this was a private intranet site, I can't close the bug yet.

Comment 22

[Johnathan Nightingale [:johnath]]

(In reply to comment #21)
> Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9pre) Gecko/2008040907
> Minefield/3.0pre
> 
> I verified the fix on the location mentioned in comment 0, but since this was a
> private intranet site, I can't close the bug yet.

Jo - my data url in comment 1 should work for public verification, shouldn't it? 

Comment 23

[Jo Hermans]

Yes, but I thought you had verified that yourself. My original URL was one of those bad-certificate errors, where you couldn't add an exception anymore. 

Comment 24

[:Gavin Sharp [email: gavin@gavinsharp.com]]

I checked in a change to the test to reduce the polling interval to 1 second from 3, to let the tests potentially finish quicker if possible.

Comment 26

[:Gavin Sharp [email: gavin@gavinsharp.com]]

(In reply to comment #24)
> I checked in a change to the test to reduce the polling interval to 1 second
> from 3, to let the tests potentially finish quicker if possible.

...then I backed it out because it was causing the tests to fail on Windows.

I just disabled the test because it's been timing out on the linux machine intermittently since it landed, and increasing the global browser test timeout to 30s (from 15s) didn't help. I filed bug 428712.