Closed
Bug 1196882
Opened 9 years ago
Closed 9 years ago
Firefox not following 303/7 Status Code after 302
Categories
(Core :: Networking: HTTP, defect)
Tracking
()
RESOLVED
FIXED
mozilla43
People
(Reporter: benny, Assigned: mcmanus)
References
Details
(Keywords: dev-doc-complete, regression, site-compat)
Attachments
(1 file)
(deleted),
patch
|
bagder
:
review+
ritu
:
approval-mozilla-aurora+
ritu
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
Steps to reproduce:
I'm a developer with spideroak.com. The OMVA we have built for our SMB and Enterprise customers has an option to `View User's Data` from a user's detail page.
The process for linking to the user's data follows a 4 step process wherein the page is directed through a couple of channels, landing at the user's url:
- Click the button. This kicks off the process of grabbing user's validation through an escrow process.
- The process returns a 302 redirect with credentials to our internal processor.
- The internal processor validates and returns a 303 with the supplied destination url.
- Manager can then view user's data.
Due to certain policies, I cannot provide a reduced test case. However, I can direct you to a secured a minimal as possible version of our product upon request for reproduction.
Actual results:
From the 303, the final supplied url should load. But Firefox spins for a while then just times out.
Expected results:
Firefox should follow 303 to the final destination.
Note: This works in Firefox 38.0.5 but causes the above issue in 39.0.3 to Nightly 43.0a1
OS: Unspecified → All
Product: Core → Firefox
Hardware: Unspecified → All
Maybe there is a regression in FF39. A dev will probably ask you an access to the testcase.
Assignee | ||
Comment 2•9 years ago
|
||
please supply an http log of the test case. When you upload the attachment you can mark it private.
https://developer.mozilla.org/en-US/docs/Mozilla/Debugging/HTTP_logging
(In reply to Patrick McManus [:mcmanus] from comment #2)
> please supply an http log of the test case. When you upload the attachment
> you can mark it private.
>
> https://developer.mozilla.org/en-US/docs/Mozilla/Debugging/HTTP_logging
The log files generated from this exceed the upload limit. I can attach them offsite in a spideroak.com ShareRoom. Alternatively can I trim the logs at a certain point?
Currently the log generated from the 38.0.5 test case is 37.2MB and the one from 40.0.2 is 51.1MB
Also - I didn't see an option in the Create New Attachment view for marking the files as private.
You can upload the log file to a third-party cloud service like Dropbox, Mediafire etc. and post the download link here.
Assignee | ||
Comment 5•9 years ago
|
||
on the upload screen there is a checkbox under privacy.. but if you're just going to include a link in a comment (which is fine) then you want the "make comment private" checkbox next to "additional comments"
Assignee | ||
Comment 6•9 years ago
|
||
oh - and those logs are text and compress very well..
(In reply to Patrick McManus [:mcmanus] from comment #6)
> oh - and those logs are text and compress very well..
Here you go. This ShareRoom will be available till the conclusion of this ticket.
https://spideroak.com/browse/share/Rustic/firefox-logs
Updated•9 years ago
|
Whiteboard: 1196237
Updated•9 years ago
|
Whiteboard: 1196237
Assignee | ||
Comment 8•9 years ago
|
||
if you find the 303 response in the log (see other is a good string to search for) it has a content-length of 246 but there are no body bytes sent after the headers and the server closes the connection. We detect that, correctly, as a malformed response. (and this is a new behavior)
The fastest fix for you would be to make it well formed.. (c-l 0, or send a body, or just omit c-l as long as you close the connection)
Given that this is a redirect and the response body is not all that important, I think we should also consider the firefox behavior an overreaction and let this slide on non 2xx cases for webcompat reasons.
I'll attach a patch soon
bagder ni just fyi
Flags: needinfo?(daniel)
Comment 9•9 years ago
|
||
Yeah, seeing that there are now more than one case of this and they're rather obscure to the users I can see how we might need to backpedal once again. Do you plan on loosening the check for redirects in particular or do it for all non-2xx status responses?
Flags: needinfo?(daniel)
Assignee | ||
Comment 10•9 years ago
|
||
(In reply to Daniel Stenberg [:bagder] from comment #9)
> Yeah, seeing that there are now more than one case of this and they're
> rather obscure to the users I can see how we might need to backpedal once
> again. Do you plan on loosening the check for redirects in particular or do
> it for all non-2xx status responses?
can you include other bug numbers here?
Comment hidden (obsolete) |
Comment hidden (obsolete) |
Comment 13•9 years ago
|
||
I was thinking about bug 1186830 in addition to this.
Assignee | ||
Comment 15•9 years ago
|
||
Assignee | ||
Comment 16•9 years ago
|
||
Attachment #8655007 -
Flags: review?(daniel)
Assignee | ||
Updated•9 years ago
|
Assignee: nobody → mcmanus
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Comment 17•9 years ago
|
||
Comment on attachment 8655007 [details] [diff] [review]
dont enforce h1 framing on non 2xx
Looking good!
Attachment #8655007 -
Flags: review?(daniel) → review+
Assignee | ||
Comment 18•9 years ago
|
||
Assignee | ||
Comment 19•9 years ago
|
||
Comment on attachment 8655007 [details] [diff] [review]
dont enforce h1 framing on non 2xx
Approval Request Comment
[Feature/regressing bug #]:237623 - gecko 39
[User impact if declined]: minor webcompat issue with non compliant http responses can lead to failed navigations. We can loosen the rules a little bit with this patch and still obtain the goal of 237623.
[Describe test coverage new/current, TreeHerder]: new xpcshell test
[Risks and why]: extremely low risk - 237623 tightened handling of non-compliant responses, and this change brings us back to where we were for a small subset of them for reasons of web compat.
[String/UUID change made/needed]: none
Attachment #8655007 -
Flags: approval-mozilla-beta?
Attachment #8655007 -
Flags: approval-mozilla-aurora?
Benny, would you be able to verify the fix on Nightly build from 09-02 or later? I am hoping the fix will be in the next Nightly build. Thanks!
Flags: needinfo?(benny)
Adding the keyword regression and setting status affected for 41+
status-firefox41:
--- → affected
status-firefox42:
--- → affected
status-firefox43:
--- → affected
Keywords: regression
Reporter | ||
Comment 22•9 years ago
|
||
(In reply to Ritu Kothari (:ritu) from comment #20)
> Benny, would you be able to verify the fix on Nightly build from 09-02 or
> later? I am hoping the fix will be in the next Nightly build. Thanks!
Absolutely. I'll test as soon as the build comes out.
Flags: needinfo?(benny)
Reporter | ||
Comment 23•9 years ago
|
||
FF Nightly 43.0a1 (2015-09-02) fails. Will try again tomorrow. Let me know if you need anything.
Comment 24•9 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla43
Reporter | ||
Comment 25•9 years ago
|
||
Fix works as of Nightly 43.0a1 (2015-09-03)
Do you know when this will go to production?
Thanks!
(In reply to Benny M from comment #25)
> Fix works as of Nightly 43.0a1 (2015-09-03)
>
> Do you know when this will go to production?
>
> Thanks!
Many Thanks Benny! This should in 41.0b8 and 41 when it goes live.
Comment on attachment 8655007 [details] [diff] [review]
dont enforce h1 framing on non 2xx
Given that the patch was verified, I feel much more confident uplifting to Aurora42 and Beta41.
Attachment #8655007 -
Flags: approval-mozilla-beta?
Attachment #8655007 -
Flags: approval-mozilla-beta+
Attachment #8655007 -
Flags: approval-mozilla-aurora?
Attachment #8655007 -
Flags: approval-mozilla-aurora+
Updated•9 years ago
|
Keywords: dev-doc-needed,
site-compat
Reporter | ||
Comment 30•9 years ago
|
||
Can confirm that this issue is resolved in 41.0!
Thanks a ton for all your work and your attention to this issue!
Comment 31•9 years ago
|
||
Usually we don't document bug fixes (unless very old). In this case, I think the site-compat info will be enough.
Keywords: dev-doc-needed → dev-doc-complete
Comment 32•9 years ago
|
||
Added the site compatibility doc: https://www.fxsitecompat.com/en-US/docs/2015/303-and-307-redirects-after-302-are-not-followed/
You need to log in
before you can comment on or make changes to this bug.
Description
•