Opened 8 years ago

Closed 8 years ago

#4149 closed defect (fixed)

Mysterious new tabs opened by content affected by rewrites since nsIContentPolicy disablement

Reported by: willdude Owned by: pde
Priority: High Milestone:
Component: HTTPS Everywhere/EFF-HTTPS Everywhere Version:
Severity: Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

In Google Reader:

1) View an RSS feed in List view
2) Click on the title of an entry that contains a YouTube video to expand it
3) Click the title again to close the item
4) A new tab automatically opens in Firefox which contains just that video.

This started happening with Firefox 7 and HTTPS Everywhere 1.0.3.  This appears to be caused by the Google Services rule, since when you disable this rule, this no longer occurs.

Child Tickets

Change History (12)

comment:1 Changed 8 years ago by willdude

I should note that this occurs on both Windows 7 and Mac OS X 10.6.

comment:2 Changed 8 years ago by pde

Status: newaccepted

I can reproduce this, but only with the YouTube ruleset enabled. Which means this bug isn't in 1.0.3 or 2.0development.1, but will be in the next devel release :(.

My first hypothesis is that this is some kind of frame-escaper logic in the embedded YouTube object.

Our best bet for fixing this is probably to get someone to file an internal Google ticket about it.

comment:3 Changed 8 years ago by pde

When you close the post, there is a request sent to a URL like http://www.youtube.com/embed/htX2usfqMEs, which is rewritten.

Two things that are different about the request when the YouTube ruleset is turned on are (1) it does not have a referrer; (2) it does not have any cookies attached to it.

I'm at a complete loss to explain why (2) is the case, though...

comment:4 Changed 8 years ago by pde

The buggy case looks like this:

#request 1: caused by closing the Reader foldout
https://www.youtube.com/embed/htx2usfqmes

get /embed/htx2usfqmes http/1.1
host: www.youtube.com
user-agent: mozilla/5.0 (x11; linux x86_64; rv:7.0.1) gecko/20100101 firefox/7.0.1 iceweasel/7.0.1
accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
accept-language: en-us,en;q=0.5
accept-encoding: gzip, deflate
accept-charset: iso-8859-1,utf-8;q=0.7,*;q=0.7
dnt: 1
connection: keep-alive

http/1.1 200 ok
date: wed, 05 oct 2011 16:42:07 gmt
server: apache
x-content-type-options: nosniff
set-cookie: visitor_info1_live=9hu_rym9wfs; path=/; domain=.youtube.com; expires=fri, 01-jun-2012 16:42:07 gmt
set-cookie: geo=715250a9710e675a6961749aafc65424cwsaaaazvvnak7wftoyi3w==; path=/; domain=.youtube.com
set-cookie: visitor_info1_live=9hu_rym9wfs; path=/; domain=.youtube.com; expires=fri, 01-jun-2012 16:42:07 gmt
set-cookie: geo=715250a9710e675a6961749aafc65424cwsaaaazvvnak7wftoyi3w==; path=/; domain=.youtube.com
expires: tue, 27 apr 1971 19:44:06 est
cache-control: no-cache
content-length: 19935
content-type: text/html; charset=utf-8

# request 2 in a new tab


https://www.youtube.com/embed/htx2usfqmes

get /embed/htx2usfqmes http/1.1
host: www.youtube.com
user-agent: mozilla/5.0 (x11; linux x86_64; rv:7.0.1) gecko/20100101 firefox/7.0.1 iceweasel/7.0.1
accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
accept-language: en-us,en;q=0.5
accept-encoding: gzip, deflate
accept-charset: iso-8859-1,utf-8;q=0.7,*;q=0.7
cookie: sid=AVERYLONGBLOG; hsid=SHORTBLOB; use_hitbox=MEDIUMBLB; visitor_info1_live=SHORTBLOB; geo=MEDIUMBLOB==; lwb=1; login_info=VERYLONGBLOB=; demographics=LONBLOB=; pref=fv=11.0.1
dnt: 1
connection: keep-alive

comment:5 Changed 8 years ago by pde

Hmmm, I take this back. With the YouTube ruleset off, requests look very similar to the first request above, except they don't necessarily happen when the foldout is closed. I take back the bit about mysterious cookies. This still looks like a frame escaper bug of some sort.

comment:6 Changed 8 years ago by pde

Steps to reproduce for Google Engineers:

  1. Get Firefox
  2. Install HTTPS Everywhere: https://www.eff.org/files/https-everywhere-2.0development.1.xpi
  3. Enable the YouTube ruleset Either with Tools->HTTPS Everywhere->Enable/Disable Rulesets or Tools->HTTPS Everywhere->(No Rules For this Page)
  4. Now follow the steps in the bug report above.

comment:7 Changed 8 years ago by pde

The plot thickens. I can reproduce this in the current git master, but not in 2.0development.1....

comment:8 Changed 8 years ago by pde

Also reproducible in 1.0.3.

comment:9 Changed 8 years ago by pde

The bug was triggered by the nsIContentPolicy disablement :(.

comment:10 Changed 8 years ago by pde

Priority: normalmajor
Summary: Google Services rule causes YouTube popups in Google ReaderMysterious new tabs opened by content affected by rewrites since nsIContentPolicy disablement

We have another similar sounding report of new tabs being opened by the Facebook Like button. This is consistent with the general hypothesis that the channelReplacement rewrites are somehow inadequate/different to the ones we were getting with nsIContentPolicy::shouldLoad(), and that's triggering a frame escaper somewhere.

I have installed the https-everywhere plugin on FF 7, and have encountered a strange issue.

The issue is that if I go to a http page that has a Facebook like button, or a Facebook fan page box, it will open it in a new tab automatically.

Example: www.ynet.co.il<http://www.ynet.co.il<http://www.ynet.co.il<http://www.ynet.co.il>>

comment:11 Changed 8 years ago by pde

(I can't reproduce the bug on the ynet site, but I'm going to proceed on the assumption that it's the same problem).

comment:12 Changed 8 years ago by pde

Resolution: fixed
Status: acceptedclosed

This should be fixed by the selective reenablement of nsIContentPolicy in 2.0development.3 and 1.1 stable.

Note: See TracTickets for help on using tickets.