iTunes (Apple) download won't start with FireFox Nightly build

RESOLVED FIXED

Status

Tech Evangelism
Desktop
RESOLVED FIXED
4 years ago
a year ago

People

(Reporter: Clemens Prill, Unassigned)

Tracking

(Blocks: 1 bug, {regression, verifyme})

Trunk
x86_64
Windows 7
regression, verifyme
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [mcb-thirdparty-notified][mcb-chrome30+][mcb-frame-descendants], URL)

Attachments

(2 attachments)

(Reporter)

Description

4 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20130422 Firefox/23.0
Build ID: 20130422030937

Steps to reproduce:

I did the following steps:
1) Visit the site http://www.apple.com/de/itunes/download/
2) Click on 'Download now'

No window to save/download the file appear. Just a simple redirect happens and Firefox skips the download part.


Actual results:

I'm redirected to the 'Thank you for downloading iTunes' text and no download window appears.


Expected results:

I'm able to download the latest version of iTunes by pressing the button.
(Reporter)

Updated

4 years ago
(Reporter)

Comment 1

4 years ago
I found this bug in Firefox version 23.0a1 (2013-04-22)

Comment 2

4 years ago
This problem is caused by landing of bug 834836.

mixed-content-blocked-notification-icon does not display until I click download button.
And then(about 1 second after), the page is redirected without file picker dialog.
So, it is no chance to disable the mixed-content-blocking from door hanger.

Of course, It works as expected if security.mixed_content.block_active_content set to false in about:config:.
Blocks: 834836
Status: UNCONFIRMED → NEW
Component: Untriaged → Security
Ever confirmed: true
Keywords: regression
Blocks: 844556
The HTTP page http://www.apple.com/itunes/download/ has an iframe to an HTTPS page https://swdlp.apple.com/iframes/82/en_us/82_en_us.html

<iframe src="https://swdlp.apple.com/iframes/82/en_us/82_en_us.html" title="Please select a download." name="myframe" frameborder="0" allowtransparency="true" scrolling="no">Your browser is not compatible with this content; please upgrade to a standards-based browser.</iframe>

The HTTPS child iframe page also has an HTTP hidden iframe (grandchild):
<iframe id='swdlDownloadIframe'  name='swdlDownloadIframe' frameborder='0' width='0px' height='0px' scrolling='no' style='visibility:hidden;'>

The source of the grandchild frame is set in javascript to the binaryUrl:
document.getElementById("swdlDownloadIframe").src=binaryUrl;

This get's blocked by the mixed content blocker since it is an HTTP source:
[11:57:51.750] Blocked loading mixed active content "http://appldnld.apple.com/iTunes11/041-9794.20130220.DdPy6/iTunes11.0.2.dmg" @ https://a248.e.akamai.net/7/248/51/20120910/swdlp.apple.com/IframesJS/iframe_2012_09_12.js:1601

The binaryUrl is set based on a user's OS, but they all appear to be HTTP sources:
<input type='hidden' id='system_OS_Hide_Show:2:mac:radio:binaryUrl' value='http://appldnld.apple.com/iTunes11/041-9794.20130220.DdPy6/iTunes11.0.2.dmg' >
				

The shield icon appears on the page, but the user doesn't have much time to notice it, let alone click on it and figure out what's going on with the page.  This is because the page redirects to a Thank You page after a setTimeout:

setTimeout("redirectURL()",1000);

function redirectURL(){
	window.top.location.href = thankYouUrl;
}

This isn't an issue on chrome because chrome doesn't block mixed content iframes.  This is probably an issue on IE because IE does block mixed content iframes, but I don't have Windows to test this with to confirm.

Since this is a binary, it really should be downloaded over HTTPS.  A MITM could just change the itunes binary to a malware binary.  Anyone have contacts at Apple we can ping?

Comment 4

4 years ago
In IE9 windows7,
After I click the download button, a notification bar(execute/save/cancel) popups.
and Redirected thankYou page. 
However, the notification bar is staying (not disappear).  Therefore I can choose SAVE.
I believe the notification bar you are describing for IE (execute/save/cancel) is different than their Mixed Content Blocker notification.

This is a case where an HTTP page embeds and HTTPS page which embeds and HTTP page.  Maybe IE isn't as granular with their frame blocking as Firefox is.  Perhaps IE only blocks HTTP frames if window.top.location is HTTPS.  One way to find out, is with this test case: http://people.mozilla.com/~tvyas/mixedgrandiframe.html.  Does IE's mixed content warning appear on the page?

Comment 6

4 years ago
(In reply to Tanvi Vyas [:tanvi] from comment #5)
> I believe the notification bar you are describing for IE
> (execute/save/cancel) is different than their Mixed Content Blocker
> notification.
> 
> This is a case where an HTTP page embeds and HTTPS page which embeds and
> HTTP page.  Maybe IE isn't as granular with their frame blocking as Firefox
> is.  Perhaps IE only blocks HTTP frames if window.top.location is HTTPS. 
> One way to find out, is with this test case:
> http://people.mozilla.com/~tvyas/mixedgrandiframe.html.  Does IE's mixed
> content warning appear on the page?

When I open http://people.mozilla.com/~tvyas/mixedgrandiframe.html in IE9,
Empty rectangle with scroll bar is shown. And a warning notification bar pops up. 

After clicking button in the warning notification bar, "Hello People!" display within the double rectangle box.
Thanks Alice!  This implies that the warning notification bar for Mixed Content should appear on http://www.apple.com/itunes/download/ as well.  Since the page redirects so quickly, perhaps it isn't seen.  However, Alice stated above that the download does actually come through.

Comment 8

4 years ago
Apple redesigned at least part of their site, so you might want to check if the problem still applies (I'd expect it, though).

Comment 9

4 years ago
Just experienced this with the Quicktime download page http://www.apple.com/quicktime/download/ on Fx 21.0, and khuey kindly verified that the bug is still present on a nightly from the 18th.  When hitting download the icon appears, but the redirect to the thanks page happens before the blocking can be turned off, and the download never happens.  Not sure if that increases severity, since Quicktime is a plugin and this will prevent updating it (what I was trying to do when I discovered this).
We've contacted someone at Apple who said they filed an bug for the issue.  If someone has a contact in their web development team, that would be great!
Chrome Canary has started to block mixed content iframes.  Even in cases like this, where the top location is HTTP, the HTTP page contains and HTTPS iframe, and the HTTPS iframe attempts to load an HTTP iframe ("descendants rule").

This bug with downloading mixed content binaries from apple.com also exists on Chrome Canary.  Chrome Canary will go to stable sometime in late July / early August.  Around the sametime that Firefox 23 will hit stable.
(In reply to Tanvi Vyas [:tanvi] from comment #10)
> We've contacted someone at Apple who said they filed an bug for the issue. 
> If someone has a contact in their web development team, that would be great!

I've also emailed security@apple.com
Whiteboard: [mcb-thirdparty-notified][mcb-chrome29+][mcb-frame-descendants]
I sent another email to apple, since this issue still exists.
Sent another email to apple this week.
Whiteboard: [mcb-thirdparty-notified][mcb-chrome29+][mcb-frame-descendants] → [mcb-thirdparty-notified][mcb-chrome30+][mcb-frame-descendants]
Just received an email from my contact at Apple saying the problem has been fixed. Can someone more familiar with the bug confirm?
Apple has fixed their Mixed Content issues by upgrading the binary download to an SSL version!

<input type='hidden' id='system_OS_Hide_Show:2:mac:radio:binaryUrl' value='https://secure-appldnld.apple.com/iTunes11/091-6058.20130605.Cw321/iTunes11.0.4.dmg' >

<input type='hidden' id='system_OS_Hide_Show:4:win:radio:binaryUrl' value='https://secure-appldnld.apple.com/iTunes11/091-6059.20130605.205Rf/iTunesSetup.exe' >

<input type='hidden' id='system_OS_Hide_Show:6:win:64bit:radio:binaryUrl' value='https://secure-appldnld.apple.com/iTunes11/091-6060.20130605.Azqw2/iTunes64Setup.exe' >

The Mixed Content Blocker is no longer invoked.  Closing this bug.  Thank you Apple for your help in resolving this issue before Firefox 23 hits stable users next week!
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED

Comment 17

4 years ago
cannot download again.
fine with IE.

Mozilla/5.0 (Windows NT 6.1; rv:26.0) Gecko/20100101 Firefox/26.0 ID:20130815030203 CSet: a8daa428ccbc

Updated

4 years ago
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Not sure why apple reverted their fix.

We are back to 
<input type='hidden' id='system_OS_Hide_Show:2:mac:radio:binaryUrl' value='http://appldnld.apple.com/iTunes11/091-9268.20130816.Bbgtr/iTunes11.0.5.dmg' >

Instead of 
<input type='hidden' id='system_OS_Hide_Show:2:mac:radio:binaryUrl' value='https://secure-appldnld.apple.com/iTunes11/091-6058.20130605.Cw321/iTunes11.0.4.dmg' >

The secure link still seems to work.  Maybe this was an accident?  Who knows.  Going to email apple again.
This is fixed again.  The download binary is back to the https://secure-appldnld.apple.com link.  Closing.
Status: REOPENED → RESOLVED
Last Resolved: 4 years ago4 years ago
Resolution: --- → FIXED
Keywords: verifyme

Comment 20

4 years ago
fixed ?

still cannot download from download page.
download does not start.
No specific Firefox fix = WORKSFORME. Seems like this is Tech Evangelism anyway?
Resolution: FIXED → WORKSFORME
(In reply to Ryan VanderMeulen [:RyanVM UTC-4] from comment #21)
> No specific Firefox fix = WORKSFORME. Seems like this is Tech Evangelism
> anyway?

This is an evangelism bug.  We are/were tracking popular websites with mixed active content as part of a master tracking bug 844556.  This is one of the more important bugs that came up because of the specific implementation of this site.  The download webpage redirects to a Thank you page before a user even has a chance to disable protection.  Apple fixed the issue, it looks like it reverted, and it's not fixed again.



(In reply to pal-moz from comment #20)
> fixed ?
> 
> still cannot download from download page.
> download does not start.
What operating system are you using?  Try a shift refresh or clearing this website from your cache.  I tried it on fresh Firefox profiles on Mac and Linux and no longer see the mixed content issue.

Comment 23

4 years ago
> (In reply to pal-moz from comment #20)
> > fixed ?
> > 
> > still cannot download from download page.
> > download does not start.
> What operating system are you using?  Try a shift refresh or clearing this
> website from your cache.  I tried it on fresh Firefox profiles on Mac and
> Linux and no longer see the mixed content issue.

see com#17.
Win 7 (32bit)
and tried with new/clean profile, but cannot download.
can you check on Windows ?

Comment 24

4 years ago
WFM, now.
http://hg.mozilla.org/releases/mozilla-release/rev/a55c55edf302
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0 ID:20130814063812

Comment 25

4 years ago
cannot.

BTW, I can download from
http://www.apple.com/itunes/

but cannot from
http://www.apple.com/jp/itunes/
http://www.apple.com/de/itunes/
etc..
ie) cannot from localized site.


Mozilla/5.0 (Windows NT 6.1; rv:26.0) Gecko/20100101 Firefox/26.0 ID:20130820030206 CSet: bb025b6949e8

Comment 26

4 years ago
in browser console,

Blocked loading mixed active content "http://appldnld.apple.com/iTunes11/091-9269.20130816.Azfre/iTunesSetup.exe" @ https://a248.e.akamai.net/7/248/51/20120910/swdlp.apple.com/IframesJS/iframe_V_1.js:1784
I go to 
http://www.apple.com/jp/itunes/

and then I go click the big blue button that takes me to 
http://www.apple.com/jp/itunes/download/

That contains an iframe to https://swdlp.apple.com/iframes/82/ja_jp/82_ja_jp.html.  The iframe contains a secure itunes exe and ain inseucre one: 

<input type='hidden' id='system_OS_Hide_Show:4:win:radio:binaryUrl' value='http://appldnld.apple.com/iTunes11/091-9269.20130816.Azfre/iTunesSetup.exe' >

<input type='hidden' id='system_OS_Hide_Show:6:win:64bit:radio:binaryUrl' value='https://secure-appldnld.apple.com/iTunes11/091-9270.20130816.Qw23e/iTunes64Setup.exe' >

Looks like their "4:win" binary is not secure but their "6:win:64bit" is.

The secure version does exist though: 
https://secure-appldnld.apple.com/iTunes11/091-9269.20130816.Azfre/iTunesSetup.exe

The US version of the iframe (https://swdlp.apple.com/iframes/82/en_us/82_en_us.html) is using this secure link.

The DE version of the iframe is using the INSECURE link:
<input type='hidden' id='system_OS_Hide_Show:4:win:radio:binaryUrl' value='http://appldnld.apple.com/iTunes11/091-9269.20130816.Azfre/iTunesSetup.exe' >

So it seems like apple missed updating 1 place in all their non-US versions of apple downloads, which causes this negative user experience for 32 bit Windows 7 (and potentially other Windows versions) users.

I will email them.

Thanks pal-moz for helping us figure out the root of the problem!
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---
Apple replied and said that everything shoudl be fixed now.  I did indeed check that apple downloads DE and apple downloads JP now use the secure binary link.  And then I also checked the AU version for good measure.

Everything looks good.  Closing again.  pal-moz, if you are still experiencing issues please let us know.  Thanks!
Status: REOPENED → RESOLVED
Last Resolved: 4 years ago4 years ago
Resolution: --- → FIXED

Comment 29

4 years ago
I can download.
all fine now.

thank you very much.
Assignee: nobody → other
Component: Security → Other
Product: Firefox → Tech Evangelism

Comment 30

4 years ago
Problem is back, in both 17.0.9 and 24.0.
Download works if clicking on save very quickly.
It fails if the click happens after the webpage refreshed to say "thank you".

Comment 31

4 years ago
yep, same problem seen in 24.0
However I am unable to make it work "by clicking on save very quickly"
It fails each time in my case.

Comment 32

4 years ago
Workarounds:

Apple has a direct download link for the 64bit version on
http://support.apple.com/kb/DL1615

but not on the corresponding page for the 32bit version
http://support.apple.com/kb/DL1614

I have added both to my collection of direct download links
http://www.klaus-hartnegg.de/gpo/download.html#itunes

Also the green button on 
http://www.filehippo.com/de/download_itunes_32/download
does a redirect and triggers a download directly from Apples server.

Alternatively ask Apple to fix this.
This feedback form has an option for "Website Issues":
http://www.apple.com/contact/feedback.html

Comment 33

4 years ago
(In reply to hartnegg from comment #30)
> Problem is back, in both 17.0.9 and 24.0.
> Download works if clicking on save very quickly.
> It fails if the click happens after the webpage refreshed to say "thank you".

(In reply to Ashish from comment #31)
> yep, same problem seen in 24.0
> However I am unable to make it work "by clicking on save very quickly"
> It fails each time in my case.

all fine here.
which language ?

Comment 34

4 years ago
It caused by one of the settings in prefs.js
Probably by this line
user_pref("browser.download.useDownloadDir", false);

Comment 35

4 years ago
(In reply to hartnegg from comment #34)
> It caused by one of the settings in prefs.js
> Probably by this line
> user_pref("browser.download.useDownloadDir", false);

maybe bug#673366 ?

Comment 36

4 years ago
(In reply to pal-moz from comment #35)
> maybe bug#673366 ?

Similar, but I'm getting this error instead:

Error: [Exception... "Component returned failure code: 0x80004002 (NS_NOINTERFACE) [nsIInterfaceRequestor.getInterface]"  nsresult: "0x80004002 (NS_NOINTERFACE)"  location: "JS frame :: resource://gre/components/nsHelperAppDlg.js :: <TOP_LEVEL> :: line 248"  data: no]
Source File: resource://gre/components/nsHelperAppDlg.js
Line: 248
(In reply to hartnegg from comment #30)
> Problem is back, in both 17.0.9 and 24.0.
> Download works if clicking on save very quickly.
> It fails if the click happens after the webpage refreshed to say "thank you".

Has apple reverted its patch to upgrade its http:// binaries to https:// links?  From the comments, it doesn't sound like it.  Perhaps this is a downloads manager problem and not a Mixed Content Blocker problem.  If it is a MCB problem, then please provide the apple.com url where you are experiencing the problem and I will ping apple.

Comment 38

4 years ago
(In reply to Tanvi Vyas [:tanvi] from comment #37) 
> Has apple reverted its patch to upgrade its http:// binaries to https://
> links?  From the comments, it doesn't sound like it.  Perhaps this is a
> downloads manager problem and not a Mixed Content Blocker problem.  If it is
> a MCB problem, then please provide the apple.com url where you are
> experiencing the problem and I will ping apple.
No the https links are still in place, it is something to do with the download dialog prompt losing the reference to the page/window when Apple navigates the page away, and so it's unable to instantiate the Save As dialog.
Duplicate of this bug: 906308

Comment 40

3 years ago
THIS IS *NOT* RESOLVED!!!! WHOEVER MARKED IT RESOLVED IS A LIAR!!! BOTH ITUNES *AND* QUICKTIME DOES *NOT* START AND IT'S THE *EXACT* PROBLEM!!!!!!!!!!!!!!!!!!! REMOVE THE  FALSE "RESOLVED FIXED" STATUS AT ONCE!!!!!!!!!!!!!!!!!!!!!!!!!!!!
What's your UA?
What's your location?

Apple has different services with different countries and locales. Maybe it is something which is tied to your configuration.
Flags: needinfo?(moltres.facesits.justin.coolidge)

Comment 42

2 years ago
I can also confirm that it is NOT downloading using FF 34. The prompt to save or run is presented, but when you click either one, nothing happens, and then you are directed to the "Thank you for downloading iTunes" page.

Fortunately, I can still download it with IE 11.

I'm in GA, USA if that helps.
Created attachment 8542060 [details]
Capture d’écran 2014-12-29 à 09.39.55.png

Thanks Mike.
Testing here from France on MacOSX
1. I get the form, fill it.
2. Click on the button download.

Then…
Created attachment 8542062 [details]
Capture d’écran 2014-12-29 à 09.40.21.png

… Then 
I have an OS popup window telling me it has been downloaded in the background and the Web browser is displaying the Thank You notice.

I'm using Firefox 34 on Mac OS X 10.10.

So there are clearly cases where it seems it is not working and others where it is working. Maybe dependent on the OS. 

Mike do you use windows too?
Flags: needinfo?(nothingbutlove4uhere)
Each time I'm testing I'm using a totally blank profile. No cookies, no history, no storage, no add-ons, etc.

Now testing with Firefox Nightly 
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0" 
37.0a1 (2014-12-28)

This is working too.

I have also tested from both localized sites and localized sites.


PS: I meant browser pop up window in the previous comment.

Comment 46

2 years ago
Activate the option that you want to choose where to store the file, then take 2 seconds to actually select the target directory. Never works. 100% reproducable. See comment 34.

Comment 47

2 years ago
The remaining problems are bug 673366 / bug 918000.

Comment 48

2 years ago
(In reply to Karl Dubost :karlcow from comment #44)
> Created attachment 8542062 [details]
> Capture d’écran 2014-12-29 à 09.40.21.png
> 
> … Then 
> I have an OS popup window telling me it has been downloaded in the
> background and the Web browser is displaying the Thank You notice.
> 
> I'm using Firefox 34 on Mac OS X 10.10.
> 
> So there are clearly cases where it seems it is not working and others where
> it is working. Maybe dependent on the OS. 
> 
> Mike do you use windows too?

Yes, Windows 7. Not sure if it matters, but I can download QuickTime from Apple's website without issue.
Flags: needinfo?(nothingbutlove4uhere)
Ian, thanks. So this Tech Evangelism bug is closed. See bug 673366 / bug 918000.
Assignee: other → nobody
Component: Other → Desktop
Flags: needinfo?(moltres.facesits.justin.coolidge)

Comment 50

2 years ago
THE PROBLEM IS *STILL* HERE ON *EVERY* FIREFOX, *EVERY* COMPUTER, *EVERY* FIREFOX VERSION SINCE THIS BUG!!! EVEN BUSINESS COMPUTERS!!!!! EVERY TIME *ONLY* ON FIREFOX!!! SAYING IT IS "RESOLVED" IS *FALSE*!!!
I can confirm that it is still a problem. The download is over https, so it is likely a different problem than what's been discussed in this bug. I assume that the navigation to the "thank you" page may be interrupting the download triggered inside some IFRAME? I will explore a bit and open a new bug (since the above comments are mostly about a different issue).

Comment 52

2 years ago
(In reply to Hallvord R. M. Steen [:hallvors] from comment #51)
> I can confirm that it is still a problem. The download is over https, so it
> is likely a different problem than what's been discussed in this bug. I
> assume that the navigation to the "thank you" page may be interrupting the
> download triggered inside some IFRAME? I will explore a bit and open a new
> bug (since the above comments are mostly about a different issue).

Did you file a bug for this eventually? I think the issue you observed here might be the same one resolved in bug 1196144, which should be fixed in Nightly as well as the latest Beta version.

Comment 53

2 years ago
I also confirm this remains a problem.
Paolo: thanks! I can confirm it now works in Nightly, so the remaining problem was bug 1196144 :)
Duplicate of this bug: 1263264
You need to log in before you can comment on or make changes to this bug.