Mirror.co.uk Corrupted Content



Tech Evangelism Graveyard
English Other
5 years ago
3 years ago


(Reporter: Paul [pwd], Unassigned)





5 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1; rv:22.0) Gecko/20130226 Firefox/22.0
Build ID: 20130226031002

Steps to reproduce:

The page works fine in other browsers which then only drives users to other browsers.


5 years ago
Component: Untriaged → HTML: Parser
OS: Windows 7 → All
Product: Firefox → Core
Hardware: x86 → All
So loading http://www.mirror.co.uk/ shows a corrupted content error. It comes from the networking stack—not from the parser.
Component: HTML: Parser → Networking: HTTP
Ever confirmed: true
I believe mulitple ACAO headers (see below) had a security implication. jduell was the expert..

 HTTP/1.1 200 OK
    Access-Control-Allow-Origin: www.birminghammail.co.uk,www.dailypost.co.uk,tm
    Access-Control-Allow-Origin: http://rl.mirror.co.uk
    Access-Control-Allow-Origin: rl.mirror.co.uk
    Access-Control-Allow-Origin: http://s.mirror.co.uk
    Content-Type: text/html;charset=UTF-8
    Server: Apache-Coyote/1.1
    X-Cache-Hits: 6
    X-Cacheable: YES
    X-RemovedCookies: YES
    X-Served-By: nat-cache1.tm-aws.com
    X-Varnish: 763588376 763582740
    Content-Encoding: gzip
    Content-Length: 29257
    Cache-Control: max-age=473
    Expires: Wed, 27 Feb 2013 14:40:44 GMT
    Date: Wed, 27 Feb 2013 14:32:51 GMT
    Connection: keep-alive
    Vary: Accept-Encoding
    Vary: User-Agent
Yes, differing Access-Control-Allow-Origin headers is a spec violation and we block the violations as of bug 814117.  You can put as many (comma-separated) hosts in the header as you like (as they've done in one of the headers in comment 2), but allowing more than one of these headers in a request creates a vulnerability for header injection attacks.

So like bug 845273 and bug 840656, this should be fixed by the site.  I'll contact them.
Assignee: nobody → english-other
Component: Networking: HTTP → English Other
Product: Core → Tech Evangelism
Contacted a potpourri of the emails listed on their site's masthead, as there's no clear tech support emai listed.
(In reply to Jason Duell (:jduell) from comment #3)
>  You can put as many
> (comma-separated) hosts in the header as you like (as they've done in one of
> the headers in comment 2)

The note under http://www.w3.org/TR/cors/#access-control-allow-origin-response-header disagrees.

Comment 6

5 years ago
Indeed. Note that per HTTP


is identical to

(In reply to Anne van Kesteren from comment #6)
> Indeed. Note that per HTTP
> is identical to
> ACAO: X, Y

but that's not a universal reality and has been acknowledged for a long time. Cookies for example cannot be coalesced and broken apart and still maintain operability. Sad, but true.

The concern here (and with a couple other similar headers) is around header injection - http://en.wikipedia.org/wiki/HTTP_header_injection .. that's why we apply stricter semantics than the transport protocol itself allows for.

Comment 8

5 years ago
The CORS specification as defined assumes these semantics at least for that header (and some others) and its processing algorithms depend on it. CORS has required that multiple values be rejected since the start.

I would appreciate to know the model of HTTP CORS should be written against. Do we effectively store headers as an ordered list of name-value pairs which can contain duplicate names? If that's the case I'll make sure the specification covers HTTP-related requirements in those terms instead.

Comment 9

5 years ago
Have we had any feedback from the Mirror? It is a national paper with a large online presence.
No, and I sent two separate emails to every address on their online contacts page.  Anyone live in the UK and willing to give them a call?

Comment 11

5 years ago
Oooh wait. This is wrong. Access-Control-Allow-Origin header requirements should only be enforced during CORS requests. Just navigating to mirror.co.uk should work fine.
Assignee: english-other → nobody
Component: English Other → Networking
Product: Tech Evangelism → Core
Anne: thanks for the clarification.  I've filed bug 847533 for being less restrictive in the check here.

Meanwhile I want to keep this open as an evangelism bug--I suspect sites are going to want to fix this server-side for now, as we're very unlikely to provide a Firefox fix for this in less than 6 weeks, and they probably want their sites to work in the meantime.
Assignee: nobody → english-other
Component: Networking → English Other
Product: Core → Tech Evangelism

Comment 13

5 years ago
Hi all. Thank you very much for the heads up for this problem. The Access-Control-Allow-Origin header should now appear on a single line:

# curl --HEAD http://www.mirror.co.uk/
HTTP/1.1 200 OK
Date: Tue, 05 Mar 2013 10:59:10 GMT
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Transfer-Encoding: chunked
Set-Cookie: JSESSIONID=7E80910559E48AFA06F08613BFCA7268; Path=/
Cache-Control: max-age=600
Expires: Tue, 05 Mar 2013 11:09:11 GMT
Access-Control-Allow-Origin: http://www.birminghammail.co.uk,http://www.dailypost.co.uk,http://s.mirror.co.uk,http://rl.mirror.co.uk

Comment 14

5 years ago
James, that is still bogus. Access-Control-Allow-Origin can only contain a single origin, anything else will fail CORS checks.

Comment 15

5 years ago
Hi Anne, Thanks for the reply. Unfortunately I just read http://www.w3.org/TR/cors/#list-of-origins and not the note elsewhere saying that in practice it is 1, null or *. In that case I guess it is just going to have to be *. Which makes me sad.
Site is working again.

Thanks again for working with us on this--sorry we made life more difficult than it needed to be here.
Last Resolved: 5 years ago
Resolution: --- → WORKSFORME
Product: Tech Evangelism → Tech Evangelism Graveyard
You need to log in before you can comment on or make changes to this bug.