Closed Bug 441504 Opened 17 years ago Closed 15 years ago

Request for http://addons.mozilla.org gets redirected more times than is sensible

Categories

(addons.mozilla.org Graveyard :: Public Pages, defect, P5)

defect

Tracking

(Not tracked)

RESOLVED FIXED
4.x (triaged)

People

(Reporter: mossop, Unassigned)

References

()

Details

(Whiteboard: [z])

If I type addons.mozilla.org into the address bar the browser goes through a total of 5 redirects before it gets to the actual url of the AMO page to display. 2 is maybe sensible, 1 is ideal, 5 is over the top and adds delay and presumably server load. 10:22:29.152[1760ms][total 1760ms] Status: 302[Object Moved] GET http://addons.mozilla.org/ Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Content Size[-1] Mime Type[application/x-unknown-content-type] Request Headers: Host[addons.mozilla.org] User-Agent[Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1a1pre) Gecko/2008062310 Minefield/3.1a1pre] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[en-us,en;q=0.5] Accept-Encoding[gzip,deflate] Accept-Charset[ISO-8859-1,utf-8;q=0.7,*;q=0.7] Keep-Alive[300] Connection[keep-alive] Response Headers: Server[NS_6.1] Location[https://addons.mozilla.org/] Connection[close] 10:22:30.913[2743ms][total 2743ms] Status: 302[Found] GET https://addons.mozilla.org/ Load Flags[LOAD_DOCUMENT_URI LOAD_REPLACE LOAD_INITIAL_DOCUMENT_URI ] Content Size[0] Mime Type[text/html] Request Headers: Host[addons.mozilla.org] User-Agent[Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1a1pre) Gecko/2008062310 Minefield/3.1a1pre] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[en-us,en;q=0.5] Accept-Encoding[gzip,deflate] Accept-Charset[ISO-8859-1,utf-8;q=0.7,*;q=0.7] Keep-Alive[300] Connection[keep-alive] Response Headers: Date[Tue, 24 Jun 2008 09:22:33 GMT] Server[Apache/2.2.3 (Red Hat)] X-Powered-By[PHP/5.1.6] X-AMO-ServedBy[mrapp03] Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0, private, max-age=3600] Pragma[no-cache] Location[http://addons.mozilla.org/en-US/] Expires[Tue, 24 Jun 2008 10:22:33 GMT] Content-Length[0] Keep-Alive[timeout=300, max=991] Connection[Keep-Alive] Content-Type[text/html; charset=UTF-8] 10:22:33.657[702ms][total 702ms] Status: 302[Object Moved] GET http://addons.mozilla.org/en-US/ Load Flags[LOAD_DOCUMENT_URI LOAD_REPLACE LOAD_INITIAL_DOCUMENT_URI ] Content Size[-1] Mime Type[application/x-unknown-content-type] Request Headers: Host[addons.mozilla.org] User-Agent[Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1a1pre) Gecko/2008062310 Minefield/3.1a1pre] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[en-us,en;q=0.5] Accept-Encoding[gzip,deflate] Accept-Charset[ISO-8859-1,utf-8;q=0.7,*;q=0.7] Keep-Alive[300] Connection[keep-alive] Response Headers: Server[NS_6.1] Location[https://addons.mozilla.org/en-US/] Connection[close] 10:22:34.360[2790ms][total 2790ms] Status: 302[Found] GET https://addons.mozilla.org/en-US/ Load Flags[LOAD_DOCUMENT_URI LOAD_REPLACE LOAD_INITIAL_DOCUMENT_URI ] Content Size[0] Mime Type[text/html] Request Headers: Host[addons.mozilla.org] User-Agent[Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1a1pre) Gecko/2008062310 Minefield/3.1a1pre] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[en-us,en;q=0.5] Accept-Encoding[gzip,deflate] Accept-Charset[ISO-8859-1,utf-8;q=0.7,*;q=0.7] Keep-Alive[300] Connection[keep-alive] Response Headers: Date[Tue, 24 Jun 2008 09:22:36 GMT] Server[Apache/2.2.3 (Red Hat)] X-Powered-By[PHP/5.1.6] X-AMO-ServedBy[mrapp04] Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0, private, max-age=3600] Pragma[no-cache] Location[http://addons.mozilla.org/en-US/firefox/] Expires[Tue, 24 Jun 2008 10:22:36 GMT] Content-Length[0] Keep-Alive[timeout=300, max=976] Connection[Keep-Alive] Content-Type[text/html; charset=UTF-8] 10:22:37.151[2288ms][total 2288ms] Status: 302[Object Moved] GET http://addons.mozilla.org/en-US/firefox/ Load Flags[LOAD_DOCUMENT_URI LOAD_REPLACE LOAD_INITIAL_DOCUMENT_URI ] Content Size[-1] Mime Type[application/x-unknown-content-type] Request Headers: Host[addons.mozilla.org] User-Agent[Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1a1pre) Gecko/2008062310 Minefield/3.1a1pre] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[en-us,en;q=0.5] Accept-Encoding[gzip,deflate] Accept-Charset[ISO-8859-1,utf-8;q=0.7,*;q=0.7] Keep-Alive[300] Connection[keep-alive] Response Headers: Server[NS_6.1] Location[https://addons.mozilla.org/en-US/firefox/] Connection[close]
Redirecting through http also means that someone who types in https://addons.mozilla.org is exposed to a DNS attack -- does the in-browser service follow redirects?
Group: update-security
The in-browser service will follow any redirects given, currently the urls are such that there is only one instance I know of that actually redirects and that is when AMO does not support the locale. This redirects to a different locale but it is a safe https -> https redirect.
dupe of bug 412015?
(In reply to comment #3) > dupe of bug 412015? Yes. Do we want to dupe that one to this one, because Dave gave very detailed information up there? Also, I am unsure this bug should not be public, as the implications of bouncing back and forth between http and https are pretty obvious (and have been public in bug 412015 for a while)?
Side note: We'll always end up with at least two redirects, as (I believe) the netscalers will take us from http->https and after that the application will need to redirect to the right locale and application. However, we could try combining the lang and app magic in one step, along with not redirecting back to http (which is stupid anyway) and that'd reduce the amount of redirects to 2.
OS: Mac OS X → All
Hardware: PC → All
I see only 3 redirects, the https->http redirects do not happen for me. That brings us down to 3, which can (and should) be shrunk to 2.
One option is to have http://amo/* go through to 1 php file that only performs redirects. This will cut things down to 1 redirect in all cases (as long as that file logic is made to redirect to valid pages and not more redirects).
Severity: normal → trivial
Priority: -- → P5
Target Milestone: --- → 4.x (triaged)
Jeff, Dave: Is this fixed in Zamboni? I think we should have at worst two redirects: http->https, and / -> /<locale>/firefox .
Fred, I assume this is done, although I'm not fully aware of the full stack of redirection, I can tell you what I do know and what I assume: Assumptions: Netscaler or Apache handles http->https What I know: we redriect / -> /locale/firefox once in middleware.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Whiteboard: [z]
(In reply to comment #12) > Fred, > > I assume this is done, although I'm not fully aware of the full stack of > redirection, I can tell you what I do know and what I assume: > > Assumptions: > > Netscaler or Apache handles http->https Yes. > What I know: > we redriect / -> /locale/firefox once in middleware. Excellent, thanks.
Product: addons.mozilla.org → addons.mozilla.org Graveyard
I think that this should be made public by now.
Flags: needinfo?(amuntner)
Group: client-services-security
Flags: needinfo?(amuntner)
You need to log in before you can comment on or make changes to this bug.