Hotel or other login redirect pages destroy history

RESOLVED DUPLICATE of bug 479752

Status

()

RESOLVED DUPLICATE of bug 479752
9 years ago
9 years ago

People

(Reporter: thomas, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

9 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.2) Gecko/20100316 Firefox/3.6.2
Build Identifier: 

When first connecting to the net at my hotel, if I ask for "http://cnn.com", I will get a redirect page, then the hotel main page instead, BUT IT WILL LOSE THE CNN.COM.

This is worse if it is restoring 10 tabs from a restart.  ALL 10 TABS WILL LOSE THE CURRENT PAGE AND BE REPLACED by the bounce then hotel page.

Reproducible: Always

Steps to Reproduce:
1. Go to a place that requires you to press Agree or type an access code on a bounce page
2. Try going to any web site, or restoring multiple tabs (close and reopen at the new site)
3. All tabs and/or sites will be gone - erased from history, erased from the back/forward.  mozilla.org won't be anywhere to be found, only bounce-my-page.  Same with cnn.com (the really long complex URL that will be impossible to find again).
Actual Results:  
Any context, history, cache, memory or evidence that I was on cnn.com in a tab is completely gone.  This is typically witha really long URL I will never remember or find easily again.  Whatever is being done (an HTTP redirect, maybe the wrong one) is saying CNN.COM no longer exists, and has been replaced with the YOUMUSTAGREE page.

It is probably also a security problem since it could be used in a transparent MITM attack.  it can load cnn.hacker.com and proxy the original image and unless you look at the address bar carefully you won't see it.

Expected Results:  
Any or all of the following:
1. If the redirect changes the base of the URL, e.g. cnn.com to myhotel.com, it should create an entry in the back/forward menu so when I agree or it presents whatever it needs to I can get back to the original.
2. History should remember the ORIGINAL URL so I can go back to it there.
3. Before detroying all the above information, I should get a box saying do I really want to go to XYZ,com from ABC.com, again if it is attempting to redirect xyz.com to abc.com.


I don't have a site to test this on globally, but can provide more information or perhaps produce a test case.

Noredirect, https://addons.mozilla.org/en-US/firefox/addon/11787  is meant to help with the same problem, but the critical part should be in firefox itself.
This is a matter of how the hotel does the redirects... it's explicitly saying to overwrite the history entry, using APIs that we can't break because legitimate sites use them for legitimate purposes.  The hotel _could_ preserve the history if it cared to...

> It is probably also a security problem since it could be used in a transparent
> MITM attack.

Any http:// URI is subject to am MITM, no matter what.  That's why https exists.  The hotel could return whatever content it wanted _and_ have your url bar say cnn.com, if it cared.  We have no way to tell, since they control the physical transport layer.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 479752
You need to log in before you can comment on or make changes to this bug.