User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0 Build ID: 20170328084734 Steps to reproduce: We have a corporate wiki that requires Kerberos authentication. Wiki still opens fine in Firefox 53 but in 54 I see an error page saying that Kerberos authentication failed. Here are some excerpts from the logs: Firefox 53: [Main Thread]: D/negotiateauth using REQ_DELEGATE [Main Thread]: D/negotiateauth service = wiki.example.com [Main Thread]: D/negotiateauth using negotiate-gss [Main Thread]: D/negotiateauth entering nsAuthGSSAPI::nsAuthGSSAPI() [Main Thread]: D/negotiateauth Attempting to load gss functions [Main Thread]: D/negotiateauth entering nsAuthGSSAPI::Init() [Lazy Idle]: D/negotiateauth nsHttpNegotiateAuth::GenerateCredentials() [challenge=Negotiate] [Lazy Idle]: D/negotiateauth entering nsAuthGSSAPI::GetNextToken() [Lazy Idle]: D/negotiateauth leaving nsAuthGSSAPI::GetNextToken [rv=0] [Lazy Idle]: D/negotiateauth Sending a token of length 4295 Firefox 54: [Main Thread]: D/negotiateauth nsHttpNegotiateAuth::ChallengeReceived URI blocked Both times Firefox is started with a clean profile and preconfigured 'prefs.js' containing: user_pref("network.negotiate-auth.delegation-uris", "example.com"); user_pref("network.negotiate-auth.trusted-uris", "example.com");

You have to add "." at the start of the string in preferences. This has changed in bug 1328791. But I'm no longer sure the change in handling the leading '.' is correct. To my understanding, allowing subdomains w/o having a '.' at the start of the preference value was incorrect.

Wow, adding '.' fixes the problem. Thank a lot! I guess the ticket can be closed now?

(In reply to Sergey Vlasov from comment #2) > Wow, adding '.' fixes the problem. Thank a lot! I guess the ticket can be > closed now? No, I think we should fix Necko (Firefox) to accept subdomains w/o a need to have the leading '.' in preferences. You are the third person complaining this has changed.

[Tracking Requested - why for this release]: This is a regression from bug 1328791.

Tracking 54/55+ for this regression.

Jason, is there someone who can take a look at this regression?

Honza, you wrote the patch that regressed this.

no try, since no test

Free unit test with every review :)

Comment on attachment 8855589 [details] [diff] [review] Test that '.' is not required to accept subdomains in auth::URIMatchesPrefPattern Review of attachment 8855589 [details] [diff] [review]: ----------------------------------------------------------------- thanks.

Pushed by ryanvm@gmail.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/53f1ff7723eb Don't require '.' to accept subdomains in *.auth.trusted-uris preferences. r=valentin https://hg.mozilla.org/integration/mozilla-inbound/rev/7550aabb54b8 Test that '.' is not required to accept subdomains in auth::URIMatchesPrefPattern. r=mayhemer

https://hg.mozilla.org/mozilla-central/rev/53f1ff7723eb https://hg.mozilla.org/mozilla-central/rev/7550aabb54b8

Hi :mayhemer, Since this is a regression, do you think this is worth uplifting to Aurora54?

Yes. Will ask.

Comment on attachment 8855432 [details] [diff] [review] v1 Approval Request Comment [Feature/Bug causing the regression]: 1328791 [User impact if declined]: inability to connect to NTLM servers under some common setup that used to work before [Is this code covered by automated tests?]: partially [Has the fix been verified in Nightly?]: only locally and manually, none of the original reporters has answered so far [Needs manual test from QE? If yes, steps to reproduce]: no, there is no easy way to test this w/o an NTLM server setup [List of other uplifts needed for the feature/fix]: none [Is the change risky?]: no [Why is the change risky/not risky?]: simple change to a preference parser cover by tests. [String changes made/needed]: none

Comment on attachment 8855589 [details] [diff] [review] Test that '.' is not required to accept subdomains in auth::URIMatchesPrefPattern Approval Request Comment - see comment 15

Comment on attachment 8855432 [details] [diff] [review] v1 Fix a regression and include tests. Aurora54+.

https://hg.mozilla.org/releases/mozilla-aurora/rev/9695a57baa0d https://hg.mozilla.org/releases/mozilla-aurora/rev/b1fc6302b71d