Http referer on a plugin initiated post request is causing a Http/400 from IIS

VERIFIED FIXED in Firefox 13



6 years ago
5 years ago


(Reporter: Igor Mackeev, Assigned: bsmedberg)



12 Branch
Windows 7
Dependency tree / graph

Firefox Tracking Flags

(firefox11 unaffected, firefox12 unaffected, firefox13+ verified)


(Whiteboard: [qa!])


(3 attachments)



6 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1; rv:12.0a2) Gecko/20120205 Firefox/12.0a2
Build ID: 20120205042013

Steps to reproduce:

After updating to 12a2 from 11a2:
Tried to log into my Sip Sorcery account via their Silverlight portal (

Actual results:

The dot in the upper left corner turned red (should be green)
I entered my login and password and got an error logging in

Expected results:

The dot initially should be green and I should be able to log in.

Comment 1

6 years ago
It works if network.http.sendRefererHeader set to 0 or 1.
Blocks: 410904
Ever confirmed: true

Comment 2

6 years ago
Yes! I've changed it to 1 and it works again.
Thank you.


6 years ago
Keywords: regression
It looks like a bug in the site if just disabling the referer of the embed object makes it work.
Can someone contact them, maybe Igor ?

Comment 4

6 years ago
There is nothing wrong with the site. The same problem had been reported a bit earlier with another site.
And I found a new one: (works fine with 1)
Everything that has Silverlight in it looks broken.
I used for testing and I can confirm this issue with Seamonkey trunk on win32.

Seamonkey gets a HTTP 400 "Bad Request (Invalid Header Name)" after a HTTP post that includes the referer. I'm not sure why it shouldn't be valid to send the referer here but Opera11.6 doesn't send a referer for Post requests initiated by the Plugin.
I bet that removing the referer from the post request will fix all regressions from bug 410904

I will attach a wireshark snippet that shows the post requests from FF10,SM trunk and Opera11.60

I'm requesting tracking because this seems to break many silverlight pages.
Look at the depending bugs of bug 410904
status-firefox11: --- → unaffected
status-firefox12: --- → affected
status-firefox13: --- → affected
tracking-firefox12: --- → ?
Component: Untriaged → Plug-ins
Product: Firefox → Core
QA Contact: untriaged → plugins
Created attachment 596453 [details]
Http Post from FF10, SM trunk and Opera11.60
tracking-firefox13: --- → ?
Duplicate of this bug: 721311
Summary: Silverlight login broken in Aurora 12a2 → Http referer on a plugin initiated post request is causing a Http/400 from IIS


6 years ago
tracking-firefox12: ? → +
tracking-firefox13: ? → +

Comment 8

6 years ago
Josh, I think we should disable referrers for plugin POSTs to fix this issue. Do you disagree?
Assignee: nobody → benjamin


6 years ago
Blocks: 727820


6 years ago
Duplicate of this bug: 727820

Comment 10

6 years ago
Created attachment 597831 [details] [diff] [review]
Don't send Referer with plugin POST requests, rev. 1
Attachment #597831 - Flags: review?(joshmoz)

Comment 11

6 years ago
Created attachment 597832 [details] [diff] [review]


6 years ago
Attachment #597831 - Flags: review?(joshmoz) → review+

Comment 12

6 years ago
Last Resolved: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla13


6 years ago
status-firefox13: affected → fixed

Comment 14

6 years ago
Comment on attachment 597831 [details] [diff] [review]
Don't send Referer with plugin POST requests, rev. 1

This patch reverts to the prior behavior for POST requests only, and should be fairly safe.
Attachment #597831 - Flags: approval-mozilla-aurora?
Duplicate of this bug: 724405
Duplicate of this bug: 722855
Duplicate of this bug: 726133
Duplicate of this bug: 722004

Comment 19

6 years ago
this bug fixed don't solve all problem, if you ever test...

Most of the video playing problem is GET, not POST, why not follow other browser send the plugin itself as referer? That solve all issue for once and all.

Comment 20

6 years ago
That's not what this bug is about. If you need to file a bug specifically about the GET issue, please do it separately with a testcase/testcase URL.
Comment on attachment 597831 [details] [diff] [review]
Don't send Referer with plugin POST requests, rev. 1

[Triage Comment]
Fixes silverlight breakage and deemed low risk - approved for Aurora 12.
Attachment #597831 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Landing on Aurora 12 ping.
Duplicate of this bug: 732371
(In reply to Alex Keybl [:akeybl] from comment #22)
> Landing on Aurora 12 ping.

When it will land on Aurora 12?
> When it will land on Aurora 12?


This also breaks some Japanese video sites:

We hope this would get fixed soon.

Comment 26

6 years ago
Bug 410904 was backed out of Aurora (FF12).
status-firefox12: affected → unaffected
tracking-firefox12: + → ---
(In reply to Benjamin Smedberg  [:bsmedberg] from comment #26)
> Bug 410904 was backed out of Aurora (FF12).

Confirmed those videos can now play w/o changing the referer pref.
Comment on attachment 597831 [details] [diff] [review]
Don't send Referer with plugin POST requests, rev. 1

clearing approval per bsmedberg's "gecko 12--> unaffected" comment and that this never landed there
Attachment #597831 - Flags: approval-mozilla-aurora+
Comment on attachment 597832 [details] [diff] [review]

Did you mean to include contents of test_pluginstream_referer.html/sjs? and/or did this patch land?
Attachment #597832 - Flags: feedback?(benjamin)


6 years ago
Attachment #597832 - Flags: feedback?(benjamin)
Pool Live Tour not working, bug 732371 on Firefox 12 beta 1
status-firefox12: unaffected → affected

Comment 31

6 years ago
Bug 410904 was backed out of Firefox 12 train, so it cannot be the cause of this bug. Please reopen the other bug which is probably not a duplicate.
status-firefox12: affected → unaffected
Whiteboard: [qa+]
are working fine, no errors/crashes occur.

This is verified fixed on FF 13b2:
Mozilla/5.0 (Windows NT 6.1; rv:13.0) Gecko/20100101 Firefox/13.0
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20100101 Firefox/13.0
status-firefox13: fixed → verified
Whiteboard: [qa+] → [qa!]
You need to log in before you can comment on or make changes to this bug.