Opened 6 years ago

Last modified 5 years ago

#4278 accepted defect

MSDN navigation breakage (due to Origin: header omission?)

Reported by: pde Owned by: pde
Priority: Medium Milestone:
Component: HTTPS Everywhere/EFF-HTTPS Everywhere Version:
Severity: Keywords: httpse-ruleset-bug
Cc: bigheadjer@…, mikeperry Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Reported here: https://bugzilla.mozilla.org/show_bug.cgi?id=694611

Test case:

Clicking on the fold-out tabs on the left of this page produces no results:

http://msdn.microsoft.com/en-ca/subscriptions/downloads/default.aspx

Child Tickets

Attachments (1)

TracFaq.txt (3.8 KB) - added by thomasjones 4 years ago.
seo services

Download all attachments as: .zip

Change History (6)

comment:1 Changed 6 years ago by bigheadjer

Original submitter of bug on bugzilla here:

Removing 2o7.net from the list of HTTPS-enabled sites fixes the problem.

comment:2 Changed 6 years ago by pde

Cc: mikeperry added
Status: newaccepted
Summary: MSDN navigation breakageMSDN navigation breakage (due to Origin: header omission?)

In my testing, disabling the Omniiture (207.net) ruleset made no difference to this bug -- it's caused by the Microsoft ruleset.

If I diff the Live HTTP Headers output for the AJAX request that opens those menus, I see this:

--- a    2011-11-14 23:31:32.395957451 -0800+++ b    2011-11-14 23:31:49.707957286 -0800@@ -1,4 +1,4 @@-https://msdn.microsoft.com/Platform/Controls/BPDownloadsList/TableofContents.asmx/GetProductFamiliesByProductGroupID+http://msdn.microsoft.com/Platform/Controls/BPDownloadsList/TableofContents.asmx/GetProductFamiliesByProductGroupID  POST /Platform/Controls/BPDownloadsList/TableofContents.asmx/GetProductFamiliesByProductGroupID HTTP/1.1 Host: msdn.microsoft.com@@ -9,14 +9,13 @@ Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 X-Requested-With: XMLHttpRequest Content-Type: application/json; charset=utf-8+Referer: http://msdn.microsoft.com/en-ca/subscriptions/downloads/default.aspx Content-Length: 89 DNT: 1-Referer: http://msdn.microsoft.com/en-ca/subscriptions/downloads/default.aspx-Origin: http://msdn.microsoft.com Connection: keep-alive Pragma: no-cache Cache-Control: no-cache-{"brandCode":"msdn","localeCode":"en-ca","productGroupID":35,"isMyProductsEnabled":false}+{"brandCode":"msdn","localeCode":"en-ca","productGroupID":65,"isMyProductsEnabled":false} HTTP/1.1 200 OK Cache-Control: private, max-age=0 Content-Type: application/json; charset=utf-8@@ -24,7 +23,7 @@ X-AspNet-Version: 4.0.30319 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET-Date: Tue, 15 Nov 2011 07:29:56 GMT-ntCoent-Length: 1140+Date: Tue, 15 Nov 2011 07:30:40 GMT+ntCoent-Length: 1118 Content-Encoding: gzip-Content-Length: 306+Content-Length: 333

By far the most likely problem there is the missing Origin: header.  Looks like we'll need a patch to stick that back in...

comment:3 Changed 6 years ago by pde

Urgh, trying to format the diff again:

--- a	2011-11-14 23:31:32.395957451 -0800
+++ b	2011-11-14 23:31:49.707957286 -0800
@@ -1,4 +1,4 @@
-https://msdn.microsoft.com/Platform/Controls/BPDownloadsList/TableofContents.asmx/GetProductFamiliesByProductGroupID
+http://msdn.microsoft.com/Platform/Controls/BPDownloadsList/TableofContents.asmx/GetProductFamiliesByProductGroupID
 
 POST /Platform/Controls/BPDownloadsList/TableofContents.asmx/GetProductFamiliesByProductGroupID HTTP/1.1
 Host: msdn.microsoft.com
@@ -9,14 +9,13 @@
 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
 X-Requested-With: XMLHttpRequest
 Content-Type: application/json; charset=utf-8
+Referer: http://msdn.microsoft.com/en-ca/subscriptions/downloads/default.aspx
 Content-Length: 89
 DNT: 1
-Referer: http://msdn.microsoft.com/en-ca/subscriptions/downloads/default.aspx
-Origin: http://msdn.microsoft.com
 Connection: keep-alive
 Pragma: no-cache
 Cache-Control: no-cache
-{"brandCode":"msdn","localeCode":"en-ca","productGroupID":35,"isMyProductsEnabled":false}
+{"brandCode":"msdn","localeCode":"en-ca","productGroupID":65,"isMyProductsEnabled":false}
 HTTP/1.1 200 OK
 Cache-Control: private, max-age=0
 Content-Type: application/json; charset=utf-8
@@ -24,7 +23,7 @@
 X-AspNet-Version: 4.0.30319
 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
 X-Powered-By: ASP.NET
-Date: Tue, 15 Nov 2011 07:29:56 GMT
-ntCoent-Length: 1140
+Date: Tue, 15 Nov 2011 07:30:40 GMT
+ntCoent-Length: 1118
 Content-Encoding: gzip
-Content-Length: 306
+Content-Length: 333

comment:4 Changed 5 years ago by mikeperry

Keywords: httpse-ruleset-bug added
Parent ID: #3190

Calling #7545 a dup of this bug.

Also, that Origin header is a CORS thing. We should test if our new API preserves it. Calling this a child of #3190 so we remember to test it.

comment:5 Changed 5 years ago by pde

Parent ID: #3190

<pde> mikeperry: you threw a boomerang in https://trac.torproject.org/projects/tor/ticket/4278
<pde> it's come back; do you want to test it today?
<pde> I'm dying to close #3190
<mikeperry> ugh I am getting a "UI communication error" while clicking on the dropdown tabs from the msdn link in #4278 in a patched TBB :/
<mikeperry> not sure if that's the same bug as before or a new one
<pde> I'm not completely surprised

Changed 4 years ago by thomasjones

Attachment: TracFaq.txt added
Note: See TracTickets for help on using tickets.