Several issues with view-source:https://<site with bad cert>
Categories
(Firefox :: Security, defect, P2)
Tracking
()
Tracking | Status | |
---|---|---|
firefox84 | --- | verified |
People
(Reporter: mt, Assigned: johannh)
References
(Blocks 1 open bug, Regressed 1 open bug, )
Details
Attachments
(1 file, 7 obsolete files)
Reporter | ||
Updated•11 years ago
|
Comment 1•11 years ago
|
||
Comment 2•9 years ago
|
||
Comment 5•8 years ago
|
||
Assignee | ||
Comment 7•8 years ago
|
||
Assignee | ||
Comment 9•8 years ago
|
||
Comment 10•8 years ago
|
||
Assignee | ||
Comment 11•8 years ago
|
||
Comment 12•8 years ago
|
||
Assignee | ||
Comment 13•8 years ago
|
||
Comment 14•8 years ago
|
||
Assignee | ||
Comment 15•8 years ago
|
||
Comment 16•8 years ago
|
||
Assignee | ||
Comment 17•8 years ago
|
||
Comment 18•8 years ago
|
||
Assignee | ||
Comment 19•8 years ago
|
||
Assignee | ||
Comment 20•8 years ago
|
||
Comment 21•8 years ago
|
||
Assignee | ||
Comment 22•8 years ago
|
||
Assignee | ||
Comment 23•8 years ago
|
||
Assignee | ||
Comment 24•8 years ago
|
||
Comment 25•8 years ago
|
||
Assignee | ||
Comment 26•7 years ago
|
||
Comment 27•7 years ago
|
||
Updated•7 years ago
|
Updated•7 years ago
|
Comment 28•6 years ago
|
||
Hi, adding location = location.replace(/^view-source:/i,""); in onCertError method https://searchfox.org/mozilla-central/source/browser/base/content/browser.js#2971 seems to fix the issue. The certificate loads and exception added. Should i work on it?
Assignee | ||
Comment 29•6 years ago
|
||
Hi Jawad, you should feel free to pick this up, but note that Dana suggested earlier that we should do this transformation in https://searchfox.org/mozilla-central/rev/3e0f1d95fcf8832413457e3bec802113bdd1f8e8/security/manager/pki/resources/content/exceptionDialog.js#138
I hope you can work with that, let me know if you have any questions.
Comment 30•6 years ago
|
||
Comment 31•6 years ago
|
||
Hi, in latest nightly the exception dialog is not shown any more instead nightly uses a new page where exceptions are added just by clicking the "Add Exception" button. But the problem remains same that viewing certificate and adding exception doesn't work on "view-source:" pages.
Fixing dialog:
Step: 1
To first fix the exception dialog we first need to turn the browser.security.newcerterrorpage.enabled in about:config to false in order to get the dialog shown. But the dialog still doesn't show while viewing source, clicking on the button "Add Exception" does nothing.
Step: 2
I removed the "view-source:" from address bar, reloaded the page and clicked on the "Add Exception" & the dialog appeared. I clicked the get certificate and it works but then i added "view-source:" at beginning of URL and it never loads certificate.
Step:3
then i added the following lines to https://searchfox.org/mozilla-central/rev/3e0f1d95fcf8832413457e3bec802113bdd1f8e8/security/manager/pki/resources/content/exceptionDialog.js#143
let locationTextBoxValue = locationTextBox.value.replace(/^view-source:/i,"");
let uri = Services.uriFixup.createFixupURI(locationTextBoxValue, 0);
I repeated the step 2 and now it works well there, but this just fixed the problem of exception dialog and the "Add Exception" button on the "view-source:" pages still doesn't work and certificate doesn't load.
Step: 4
To get the exception dialog on the "view-source" pages following are problems we were facing.
In https://searchfox.org/mozilla-central/source/browser/base/content/browser.js#3036 there is onCertError method which also has the "location" parameter.
This method is called by receiveMessage in https://searchfox.org/mozilla-central/source/browser/base/content/browser.js#2988 which then passes location to onCertError which it gets from onCertError in https://searchfox.org/mozilla-central/source/browser/actors/NetErrorChild.jsm#782.
This is from where the raw location is sent, so by replacing
"location: win.document.location.href" with
"location: win.document.location.href.replace(/^view-source:/i,"")" in https://searchfox.org/mozilla-central/source/browser/actors/NetErrorChild.jsm#784
We get the dialog on the "view-source:" pages. The certificate loads and exception addition works.
This problem can also be solved by only following step 1 & 4. So if we enable the browser.security.newcerterrorpage.enabled in about:config to check with the nightly's new certificate error page, we find that the problem is also solved there.
Updated•6 years ago
|
Comment 32•6 years ago
|
||
If you're asking me to review your patch, I would defer to Johann.
Updated•6 years ago
|
Updated•6 years ago
|
Comment 34•6 years ago
|
||
:johannh a duplicate was just filed for this bug report that hasn't seen any activity in over a month. Please see the patch and the latest comments (comment 30 onward).
Assignee | ||
Comment 35•6 years ago
|
||
I already reviewed the patch.
Hey Jawad, any updates on this? :)
Thanks!
Assignee | ||
Updated•6 years ago
|
Assignee | ||
Comment 36•5 years ago
|
||
Unassigning due to inactivity, let me know if you want to pick this up again :)
Comment 37•5 years ago
|
||
Hey Johannh ,I was trying to reproduce the issue, by using the url mentioned in the description.
But the url just shows a blank page!
Also can I take up this issue, if it still persists?
Thanks :)
Aarushi
Assignee | ||
Comment 38•5 years ago
|
||
Yeah I'm seeing the same thing, it's pretty weird. When I go to view-source:https://expired.badssl.com on a fresh profile it will show a blank page, but it suddenly starts working fine if I visit https://expired.badssl.com directly first. Then I can also add an exception on the view-source page, but it will forward to https://expired.badssl.com. Removing doesn't work either.
Needs some investigation.
Assignee | ||
Comment 41•5 years ago
|
||
Known issues now that we can look at the page again:
- The "Accept the Risk and Continue" button doesn't work
- The domain isn't correctly displayed in many cases. e.g.
Nightly detected an issue and did not continue to .
In the Advanced section it saysThe certificate for expired on 4/13/2015.
- When adding an exception (via adding an exception for the non "view-source" url), clicking on "Remove Exception" in the identity popup when you're on the view-source page again will do nothing.
These seem very related (probably some mistaken URL parsing) so we can probably handle them all in this bug.
Assignee | ||
Comment 42•5 years ago
|
||
Aarushi, are you still interested in this? :)
Comment 44•5 years ago
|
||
Yes sure :)
Comment 45•5 years ago
|
||
Updated•5 years ago
|
Assignee | ||
Comment 46•4 years ago
|
||
We should probably find someone to finish this up...
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Comment 47•4 years ago
|
||
This is to prevent issues with parsing the correct hostname for displaying and adding
exceptions for urls like view-source:.
Updated•4 years ago
|
Updated•4 years ago
|
Comment 48•4 years ago
|
||
Comment 49•4 years ago
•
|
||
Backed out for browser-chrome and devtools related failures.
Backout link: https://hg.mozilla.org/integration/autoland/rev/108176ff87a46c7228b1b7e4b4cfa0ba037366a3
Failure log: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=319795100&repo=autoland&lineNumber=3191
https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=319794799&repo=autoland&lineNumber=3298
https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=319796316&repo=autoland&lineNumber=3990
Assignee | ||
Updated•4 years ago
|
Comment 50•4 years ago
|
||
Comment 51•4 years ago
|
||
bugherder |
Updated•4 years ago
|
Comment 52•4 years ago
|
||
Reproduced the initial issue using old Nightly from 2020-10-20. Verified that the issues mentioned in comment 41 are fixed using Firefox 84.0b4 across platforms (Windows 7 64bit, Windows 10 64bit, macOS 11 and Ubuntu 18.04).
Updated•4 years ago
|
Description
•