Closed Bug 1240566 Opened 9 years ago Closed 9 years ago

Missing video controls of embedded HTML5 youtube video due to some HSTS

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1247733

People

(Reporter: alice0775, Assigned: qdot)

References

(
URL
)

Details

(Keywords: reproducible)

Attachments

(2 files)

screenshot
(deleted), image/png
Details
SiteSecurityServiceState.txt, the problematic entry
(deleted), text/plain
Details 
When I test Bug 1240471, I found a problem.

video controls(play/pause, Gear, Fullscreen buttons) of embedded youtube video are missing.

Steps to reproduce:
1. Open http://www.ghacks.net/2007/03/02/one-of-the-greatest-line-rider-movies-ever/
2. Scroll page
3. Play video

Actual Resulst:
video controls(play/pause, Gear, Fullscreen buttons)  are missing.

Expected Results:
not so,


The problem is caused if entry of www.youtube.com:HSTS was existing in SiteSecurityServiceState.txt file.
I do not know when the entry was created. 
This problem might be happens on the profiles that have been used over a long period.
Attached image screenshot (deleted) — 

    
  
Summary: Missing video controls of embedded youtube video due to some HSTS → Missing video controls of embedded HTML5 youtube video due to some HSTS

    
  
Blocks: 775370

    
  
Blocks: 769117

    
    

    
  
Especially, Bug 769117 was landed in Nightly, the problem will be widely affected.

    
    

    
  


  
Assignee: nobody → kyle

    
    

    
  
It looks like that entry will expire on 2016-01-25T16:38:18.209Z. Can you try again after then?
Flags: needinfo?(alice0775)

    
    

    
  
Kyle, how critical is this problem? FF 44 is about to be released next week. Should we try to disable the rewriter for 44 or 45?

(In reply to Alice0775 White from comment #0)
> The problem is caused if entry of www.youtube.com:HSTS was existing in
> SiteSecurityServiceState.txt file.

Kyle's embed rewriter preserves the original Flash embed URL's scheme (HTTP or HTTPS) and domain, so I'm not sure why we have an HSTS conflict.

          status-firefox43:
          --- → unaffected
Flags: needinfo?(kyle)

    
    

    
  
(In reply to Chris Peterson [:cpeterson] from comment #5)
> Kyle, how critical is this problem? FF 44 is about to be released next week.
> Should we try to disable the rewriter for 44 or 45?

The rewriter (bug 769117) never got uplifted to aurora or beta, so I think we're ok?
Flags: needinfo?(kyle)

    
    

    
  
Alice, this bug's Tracking Flags say status-firefox44 and status-firefox45 = affected. Is that true? If so, then this problem is not related to Kyle's Flash embed rewriter.

    
    

    
  
(In reply to David Keeler [:keeler] (use needinfo?) from comment #4)
> It looks like that entry will expire on 2016-01-25T16:38:18.209Z. Can you
> try again after then?

Today 2016-01-26 16:00UTC, I tried to reproduce the problem, And I confirmed that the promlem was gone. The offending entry seems to expire as your described.
Flags: needinfo?(alice0775)

    
    

    
  
(In reply to Chris Peterson [:cpeterson] from comment #7)
> Alice, this bug's Tracking Flags say status-firefox44 and status-firefox45 =
> affected. Is that true? If so, then this problem is not related to Kyle's
> Flash embed rewriter.

The Flash embed rewriter seems risky unless this root problem fixed. So I made block bug 769117.

    
    

    
  
I think the root problem is www.youtube.com briefly tried out sending a Strict-Transport-Security header. Presumably they found breakage (such as this), and it looks like they've since backed off (and are only sending the header with a max-age of 0, which essentially turns it off). Depending on what the original max-age value was and when they stopped sending the header, this problem will essentially go away on its own.

    
    

    
  
(In reply to David Keeler [:keeler] (use needinfo?) from comment #10)
> I think the root problem is www.youtube.com briefly tried out sending a
> Strict-Transport-Security header. Presumably they found breakage (such as
> this), and it looks like they've since backed off (and are only sending the
> header with a max-age of 0, which essentially turns it off). Depending on
> what the original max-age value was and when they stopped sending the
> header, this problem will essentially go away on its own.

OK, I will change the status to "works for me".
No longer blocks: 769117, 775370
Status: NEW → RESOLVED
Closed: 9 years ago

          status-firefox43:
          unaffected → ---

          status-firefox44:
          affected → ---

          status-firefox45:
          affected → ---

          status-firefox46:
          affected → ---
Resolution: --- → WORKSFORME

    
  

          status-firefox-esr45:
          ? → ---

    
    

    
  
The problem comes back w/ clean profile.

SiteSecurityServiceState.txt includes the following entry.
www.youtube.com:HSTS	1	16830	1454802579390,1,0
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---

    
  
Blocks: 769117
Keywords: reproducible

    
  
Blocks: 775370
No longer blocks: 769117
URL: <iframe width="420" height="345"src="...

    
    

    
  
Steps to reproduce:
1. Open http://www.youtube.com/embed/XGSy3_Czz8k
2. Play video

Actual Resulst:
video controls(play/pause, Gear, Fullscreen buttons)  are missing.

Expected Results:
not so,

    
  
Status: REOPENED → RESOLVED
Closed: 9 years ago9 years ago
Resolution: --- → INCOMPLETE

    
    

    
  
Alice, in comment 12, you said you could still reproduce this problem with a clean profile, but then you closed this bug as RESOLVED INCOMPLETE. Is this still a bug? Thanks.
Flags: needinfo?(alice0775)

    
    

    
  
The problem is still reproduced.
So I filed a new bug 1244495.
Flags: needinfo?(alice0775)

    
    

    
  
(In reply to Alice0775 White from comment #15)
> The problem is still reproduced.
> So I filed a new bug 1244495.

Problem is on all Firefox browsers. Also with scripts "converts" flash youtube embed to html5.

    
  
Resolution: INCOMPLETE → DUPLICATE

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: