Steps to reproduce: 1. Load MP-stage on your Android device (https://marketplace.allizom.org/) 2. Try to purchase an app (Test App(chocolate)) 3. Click “Forgot your PIN?” link 4. Click “Reset” blue button Expected results A “Sign in to continue” window is displayed and user must sign in with valid credentials to continue to MP - Payments Stage. Actual results: “500 Error” message is displayed. Notes/Issues: Issue is not reproducing on Desktop or FF OS. Verified on FF41(Android 4.2.1). Issue is reproducing on MP-stage. Screenshot for this issue: http://screencast.com/t/Yv1wCrD90C1 Ashes ID: c3901

I was able to reproduce this bug on Android 5.1 using ff 38

Can you repro with FF android beta e.g. version 39.x? [1] Judging by the bug this is similar to - it was only released for 39 [2] [1] https://www.mozilla.org/en-US/firefox/channel/#beta [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1134466#c24

Wondering if this is a regression of bug 1134466?

Sorry, I haven't really used the marketplace stuff on device before, so I may need more detailed steps on how to reproduce this bug. I tried the following: * Open Firefox and visit https://marketplace.allizom.org/ * Search for "chocolate" * Click the "$2.99" button to attempt to install it * FxA sign-in pop-up appears, and I sign in * A little grey bar pops up that says "payment cancelled" * Nothng else happens But I don't see anything about a PIN.

steps to reproduce: 1. Install https://addons.mozilla.org/en-US/android/addon/dev-marketplace/?src=ss 2. On fennec, navigate to https://marketplace.allizom.org/ 3. Search for :paid 4. Start the purchase of a paid app 5. Sign in using Fxa 6. In the Enter PIN screen, click on 'Forgot PIN?' link 7. Try the reset button. let me know if these steps work for you.

From logcat, 06-02 15:48:51.404 I/GeckoConsole(17166): [views][base] Replacing $el with rendered content 06-02 15:48:51.414 I/GeckoConsole(17166): [lib][auth] Begin webpay user reset at /mozpay/auth/reset_user 06-02 15:48:51.424 I/GeckoConsole(17166): [views][reset-start] starting logout timer. 06-02 15:48:51.604 W/GeckoConsole(17166): [JavaScript Warning: "This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1." {file: "https://marketplace.allizom.org/mozpay/auth/reset_user" line: 0}] 06-02 15:48:51.614 I/GeckoConsole(17166): [lib][auth] reset webpay user 06-02 15:48:51.634 I/GeckoConsole(17166): [lib][auth] Setting needs-provider-logout in localStorage to true 06-02 15:48:51.634 I/GeckoConsole(17166): [views][reset-start] Clearing logout reset timer. 06-02 15:48:51.634 I/GeckoConsole(17166): [views][reset-start] Forgot-pin logout done 06-02 15:48:51.654 I/GeckoConsole(17166): [models][transaction] Saving JWT to sessionStorage 06-02 15:48:51.654 I/GeckoConsole(17166): [views][reset-start] redirecting to https://oauth.accounts.firefox.com/v1/authorization?scope=profile&state=103acde935ed400799dd7aa7599e0bd6&client_id=e39e5fe5d3ed5529&email=krupa.mozbugs%40gmail.com&action=force_auth 06-02 15:48:54.844 E/GeckoConsole(17166): [JavaScript Error: "Critical error:"] 06-02 15:48:54.844 E/GeckoConsole(17166): [JavaScript Error: "Error: Permission denied to access property "postMessage""] 06-02 15:49:01.374 E/GeckoConsole(17166): [JavaScript Error: "NetworkError: A network error occurred."]

(In reply to krupa raj[:krupa] from comment #5) > steps to reproduce: > 1. Install > https://addons.mozilla.org/en-US/android/addon/dev-marketplace/?src=ss > 2. On fennec, navigate to https://marketplace.allizom.org/ > 3. Search for :paid > 4. Start the purchase of a paid app > 5. Sign in using Fxa > 6. In the Enter PIN screen, click on 'Forgot PIN?' link > 7. Try the reset button. > > let me know if these steps work for you. I'm getting "Payment Cancelled" after I login (after the "> 5. Sign in using Fxa" step). Not getting the pin screen. I made sure that I have the add-on. What could I be missing?

(In reply to Vlad Filippov from comment #7) > (In reply to krupa raj[:krupa] from comment #5) > > steps to reproduce: > > 1. Install > > https://addons.mozilla.org/en-US/android/addon/dev-marketplace/?src=ss > > 2. On fennec, navigate to https://marketplace.allizom.org/ > > 3. Search for :paid > > 4. Start the purchase of a paid app > > 5. Sign in using Fxa > > 6. In the Enter PIN screen, click on 'Forgot PIN?' link > > 7. Try the reset button. > > > > let me know if these steps work for you. > > I'm getting "Payment Cancelled" after I login (after the "> 5. Sign in using > Fxa" step). > Not getting the pin screen. I made sure that I have the add-on. What could I > be missing? Connect WebIDE to your Android device and you'll find a log in the console. It could be PAY_REQUEST_ERROR_NO_VALID_REQUEST_FOUND. That means that Firefox for Android cannot find the settings you just installed. Sometimes restarting Firefox for Android will fix this. https://dxr.mozilla.org/mozilla-central/source/dom/payment/Payment.jsm#108

(In reply to Stuart Colville [:scolville] [:muffinresearch] from comment #2) > Can you repro with FF android beta e.g. version 39.x? [1] > > Judging by the bug this is similar to - it was only released for 39 [2] > > [1] https://www.mozilla.org/en-US/firefox/channel/#beta > [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1134466#c24 On Firefox Beta 39.0 (Android 4.2.1) I am getting the same results like Vlad Filippov: after sign in using Fxa the message "Payment cancelled" appears and no PIN popup window.

I suppose the addon (https://addons.mozilla.org/en-US/android/addon/dev-marketplace/?src=ss) was properly activated only after restarting the Android phone. So, I get the same 500 error at PIN reset, on Firefox Beta 39.0. Sorry for misleading you with previous comment.

In order to (In reply to Vlad Filippov from comment #7) > (In reply to krupa raj[:krupa] from comment #5) > > steps to reproduce: > > 1. Install > > https://addons.mozilla.org/en-US/android/addon/dev-marketplace/?src=ss > > 2. On fennec, navigate to https://marketplace.allizom.org/ > > 3. Search for :paid > > 4. Start the purchase of a paid app > > 5. Sign in using Fxa > > 6. In the Enter PIN screen, click on 'Forgot PIN?' link > > 7. Try the reset button. > > > > let me know if these steps work for you. > > I'm getting "Payment Cancelled" after I login (after the "> 5. Sign in using > Fxa" step). > Not getting the pin screen. I made sure that I have the add-on. What could I > be missing? After installing the addon from step 1, try this : Set dom.mozApps.use_reviewer_certs to true Add the domain https://marketplace-dev.allizom.org for MP-dev or https://marketplace.allizom.org for MP-stage to dom.mozApps.signed_apps_installable_from

FYI it turns out we are blocked by bug 1170819 and aiming for Firefox 39, which is to be released in June.

(In reply to Andy McKay [:andym] from comment #12) > FYI it turns out we are blocked by bug 1170819 and aiming for Firefox 39, > which is to be released in June. Seems like bug 1170819 was fixed / resolved . Does this mean we should try to reproduce this now in latest Fennec Nightly?

(In reply to Vlad Filippov from comment #13) > (In reply to Andy McKay [:andym] from comment #12) > > FYI it turns out we are blocked by bug 1170819 and aiming for Firefox 39, > > which is to be released in June. > > Seems like bug 1170819 was fixed / resolved . > > Does this mean we should try to reproduce this now in latest Fennec Nightly? You can test for bug 1170819, but the two issues are actually unrelated. Until a fix for this lands for this don't bother testing. If you want test bug 1170819 you must test on Beta - a test on Nightly doesn't test the fix that landed.

Shane, I'm wondering if some of the recent iframe-origin-checking stuff has caused the postMessage issues from Bug 1134466 to re-appear. Possible?

FWIW I can indeed reproduce the error by following the steps in Comment 5. Here's my theory on what's happening, but I'll need Shane to sanity-check the details. * In lib/app-start.js, we call initializeIframeChannel as part of the setup routine - * This checks _isInAnIframe(), which is true for the marketplace code here - * It then proceeds to call _checkParentOrigin(), which does: - - * originCheck = new OriginCheck(self._window); - - * originCheck.getOrigin(self._window.parent) - - - * this method calls postMessage() on the passed window argument So the end result is that whenver we're in an iframe, we end up calling self._window.parent.postMessage(), just like we used to do in Bug 1134466. Since window.parent is a privileged chrome window, we get the permission error found in Comment 6.

Assigning to Shane to decide on an appropriate fix, if the above analysis is accurate.

(In reply to Ryan Kelly [:rfkelly] from comment #16) > FWIW I can indeed reproduce the error by following the steps in Comment 5. > > Here's my theory on what's happening, but I'll need Shane to sanity-check > the details. > > * In lib/app-start.js, we call initializeIframeChannel as part of the setup > routine > - * This checks _isInAnIframe(), which is true for the marketplace code here > - * It then proceeds to call _checkParentOrigin(), which does: > - - * originCheck = new OriginCheck(self._window); > - - * originCheck.getOrigin(self._window.parent) > - - - * this method calls postMessage() on the passed window argument > > So the end result is that whenver we're in an iframe, we end up calling > self._window.parent.postMessage(), just like we used to do in Bug 1134466. > Since window.parent is a privileged chrome window, we get the permission > error found in Comment 6. rfkelly - this seems sensible, my read of the code is the same. These changes were introduced in https://github.com/mozilla/fxa-content-server/pull/2364. The iframe origin checking was deliberately made more strict to allow |/| to be iframed by the firstrun flow. I'm collecting my thoughts.

:andym, When FxA is opened in Android, does the iframe have a |name| attribute?

More broadly, what scope do we have for implementing special behaviour on the iframe here? Could you e.g. implement a custom window.parent.postMessage() that tells our origin-checking logic that everything is OK?

(In reply to Shane Tomlinson [:stomlinson] from comment #19) > :andym, When FxA is opened in Android, does the iframe have a |name| > attribute? Its the Trusted UI, don't think its implemented using iframes https://bugzilla.mozilla.org/show_bug.cgi?id=801561, ferjm might know more.

> Its the Trusted UI, don't think its implemented using iframes I'm confused, I thought the TrustedUI thing was for FirefoxOS, but this bug appears to be in an addon for Android. Does this bug also affect FirefoxOS? Where can we view the souce behind this https://addons.mozilla.org/en-US/android/addon/dev-marketplace/ addon that's required to repro the bug per Comment 5.

(In reply to Ryan Kelly [:rfkelly] from comment #22) > > Its the Trusted UI, don't think its implemented using iframes > > I'm confused, I thought the TrustedUI thing was for FirefoxOS, but this bug > appears to be in an addon for Android. Does this bug also affect FirefoxOS? > > Where can we view the souce behind this > https://addons.mozilla.org/en-US/android/addon/dev-marketplace/ addon that's > required to repro the bug per Comment 5. The Trusted UI was implemented by the Android team for that platform. It also exists on some Desktop runtimes. Can't remember where the source for that is, all it does is set dom.payments attributes in the config. You can just do a wget, unzip on the .xpi though, looks like this: https://dpaste.de/kJCF

Thanks Andy! I think I have my terminology straight now. So if I'm understanding things correctly, our FxA login screen is being loaded up in the middle of the payment flow as documented here: https://wiki.mozilla.org/WebAPI/WebPayment#Payment_flow_overview As part of these steps: """ * This starts the buyflow in a content iframe inside a trusted dialog ("chrome dialog"). * A purchasing flow is served from the Payment Provider's server as an HTML5 document inside the trusted dialog. """ IIUC, the android code that's launching this payment flow is: https://hg.mozilla.org/mozilla-central/file/ce863f9d8864/mobile/android/components/PaymentsUI.js#l79 Which displays a chrome window based on this file: https://hg.mozilla.org/mozilla-central/file/ce863f9d8864/mobile/android/chrome/content/payment.xhtml ISTM the simplest solution will be for us to somehow detect that window.parent is a "Trusted UI" window rather than a normal web context, and disable the iframe-checking logic in this case. But we might not have much to go on.

That sounds about right. Is there a hint or flag we can pass to the flow that would help detection? I know adding another flag isn't the best solution, but if it makes it easier...

Shane's going to try a few ways to detect the privileged parent window and we'll see what sticks. It'll be good to have the option of a special flag from marketplace on the table. In general, we try to avoid allowing ourselves to be iframed except in very special and tightly-controlled circumstances. The ideal solution here will avoid malicious sites from being able to "fake it" and embed FxA in an iframe by passing a special parameter.

A fix for this has landed in fxa-content-server repo; it will take about two weeks to ride our trains out to production.

This went out on FxA train 41, which went out the week of July 12th. Marking for QA testing. Sorry for the delay in doing that, PTO and all that.

Verified as fixed on MP-stage FF42(Android 5.1) Postfix screenshot: http://screencast.com/t/jp9GzIOdlT Closing bug.