We're calling on all EU-based Mozillians with iOS or iPadOS devices to help us monitor Apple’s new browser choice screens. Join the effort to hold Big Tech to account!

Eheka Pytyvõha

Emboyke pytyvõha apovai. Ndorojeruremo’ãi ehenói térã eñe’ẽmondóvo pumbyrýpe ha emoherakuãvo marandu nemba’etéva. Emombe’u tembiapo imarãkuaáva ko “Marandu iñañáva” rupive.

Kuaave

Website not working with firefox on multiple computers

  • 5 Mbohovái
  • 2 oguereko ko apañuãi
  • 1 Hecha
  • Mbohovái ipaháva cor-el

more options

I have a website (https://discinsights.com) It works on other browsers but not in firefox. I cannot figure out why.

It is crashing somewhere in the SSL/TLS process. In the network tab of the developer tools I can see the request and it stops during the TLS Setup phase, but it gets the SSL Cert.

I am running the site with Nginx 1.13.3 Openssl 1.1.0f and certs signed by Lets Encrypt. At first I thought it was an OCSP must staple issue, I re-issued the certs without must-staple, and then disabled the stapling in nginx and it still won't load.

It stops at blank page. Whatever was there before is still the dominant page and reload clears out the url and loads the old page.

This happens on v49 (windows), v56.0 (32-bit) on windows 10, and v56.0.1 on OSX High Sierra.

The site is a Magento v2.1.8 store, but i doubt that is the issue since its not even getting to that point in the loading process.

The webserver is reporting a 200 status in the log. 173.239.230.43 - - [25/Oct/2017:09:05:58 -0400] "GET / HTTP/2.0" 200 20120 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0" "-" 24.154.8.253 - - [25/Oct/2017:09:08:00 -0400] "GET / HTTP/2.0" 200 20120 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:56.0) Gecko/20100101 Firefox/56.0" "-"

I am at a complete loss here as to why it is not working. Any help would be appreciated!

The odd thing is I have another web site (https://free.peoplekeys.com) on a separate server, set up the same way (differences: php v7.1 and nginx 1.13.2 instead of php v7.0 and nginx 1.13.3) and it works fine in firefox. . Also from lets encrypt. On that one OCSP must staple and nginx stapling is enabled, no problems.

I have a website (https://discinsights.com) It works on other browsers but not in firefox. I cannot figure out why. It is crashing somewhere in the SSL/TLS process. In the network tab of the developer tools I can see the request and it stops during the TLS Setup phase, but it gets the SSL Cert. I am running the site with Nginx 1.13.3 Openssl 1.1.0f and certs signed by Lets Encrypt. At first I thought it was an OCSP must staple issue, I re-issued the certs without must-staple, and then disabled the stapling in nginx and it still won't load. It stops at blank page. Whatever was there before is still the dominant page and reload clears out the url and loads the old page. This happens on v49 (windows), v56.0 (32-bit) on windows 10, and v56.0.1 on OSX High Sierra. The site is a Magento v2.1.8 store, but i doubt that is the issue since its not even getting to that point in the loading process. The webserver is reporting a 200 status in the log. 173.239.230.43 - - [25/Oct/2017:09:05:58 -0400] "GET / HTTP/2.0" 200 20120 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0" "-" 24.154.8.253 - - [25/Oct/2017:09:08:00 -0400] "GET / HTTP/2.0" 200 20120 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:56.0) Gecko/20100101 Firefox/56.0" "-" I am at a complete loss here as to why it is not working. Any help would be appreciated! The odd thing is I have another web site (https://free.peoplekeys.com) on a separate server, set up the same way (differences: php v7.1 and nginx 1.13.2 instead of php v7.0 and nginx 1.13.3) and it works fine in firefox. . Also from lets encrypt. On that one OCSP must staple and nginx stapling is enabled, no problems.
Mba’erechaha japyhypyre oñondivegua

Ñemoĩporã poravopyre

Well that lead me to the issue and fix for sure!.

I noticed it got as far as processing the response headers in the logging (but didnt display them in the inspector tools). So i suspected the issue was there.

I saw this right after my CSP header was processed, and i suspected it was with my CSP headers. [Socket Thread]: I/nsHttp Http2Stream::ConvertResponseHeaders 0x12978f360 decode Error

I removed them from my config and sure enough it worked.

My CSP was multi-line, I removed the line breaks and added it back to my config and it worked.

So firefox will not correctly handle or fail gracefully on a multi-line CSP.

Broken:

   add_header Content-Security-Policy "
       default-src 'self' *.google.com *.youtube.com *.facebook.com *.fonts.google.com *.fonts.googleapis.com *.google-analytics.com *.googleapis.com cdnjs.cloudflare.com code.jquery.com connect.facebook.net *.imgur.com *.500px.com www.reddit.com www.flickr.com c1.staticflickr.com maxcdn.bootstrapcdn.com code.ionicframework.com cdn.fontawesome.com;
       script-src 'self' 'unsafe-inline' 'unsafe-eval' *.discinsights.com *.google-analytics.com ajax.googleapis.com *.facebook.net *.facebook.com *.addthis.com *.zoho.com *.zohostatic.com *.addthisedge.com *.braintreegateway.com www.vimeo.com vimeo.com *.vimeocdn.com;
       style-src 'self' 'unsafe-inline' *.discinsights.com *.googleapis.com *.zoho.com *.zohostatic.com *.zohopublic.com;
       img-src 'self' *.discinsights.com *.google-analytics.com *.facebook.com *.doubleclick.net *.google.com *.paypalobjects.com *.vimeocdn.com data:;
       connect-src 'self' *.discinsights.com *.facebook.com *.zoho.com *.zohopublic.com *.addthis.com wss://vts.zohopublic.com;
       font-src 'self' *.discinsights.com themes.googleusercontent.com fonts.gstatic.com *.zohostatic.com data:;
       object-src 'none';
       media-src 'self';
       form-action 'self' *.discinsights.com *.facebook.com *.zoho.com;
       frame-src *.discinsights.com *.expedia.com *.facebook.com *.zendesk.com *.addthis.com *.braintreegateway.com *.vimeo.com http://*.vimeo.com;
       frame-ancestors *.discinsights.com theholyspirit.com *.peoplekeys.com studentkeys.com;
       report-uri https://peoplekeys.report-uri.io/r/default/csp/enforce;
   " always;

Works:

   add_header Content-Security-Policy "default-src 'self' *.google.com *.youtube.com *.facebook.com *.fonts.google.com *.fonts.googleapis.com *.google-analytics.com *.googleapis.com cdnjs.cloudflare.com code.jquery.com connect.facebook.net *.imgur.com *.500px.com www.reddit.com www.flickr.com c1.staticflickr.com maxcdn.bootstrapcdn.com code.ionicframework.com cdn.fontawesome.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.discinsights.com *.google-analytics.com ajax.googleapis.com *.facebook.net *.facebook.com *.addthis.com *.zoho.com *.zohostatic.com *.addthisedge.com *.braintreegateway.com www.vimeo.com vimeo.com *.vimeocdn.com; style-src 'self' 'unsafe-inline' *.discinsights.com *.googleapis.com *.zoho.com *.zohostatic.com *.zohopublic.com; img-src 'self' *.discinsights.com *.google-analytics.com *.facebook.com *.doubleclick.net *.google.com *.paypalobjects.com *.vimeocdn.com data:; connect-src 'self' *.discinsights.com *.facebook.com *.zoho.com *.zohopublic.com *.addthis.com wss://vts.zohopublic.com; font-src 'self' *.discinsights.com themes.googleusercontent.com fonts.gstatic.com *.zohostatic.com data:; object-src 'none'; media-src 'self'; form-action 'self' *.discinsights.com *.facebook.com *.zoho.com; frame-src *.discinsights.com *.expedia.com *.facebook.com *.zendesk.com *.addthis.com *.braintreegateway.com *.vimeo.com http://*.vimeo.com; frame-ancestors *.discinsights.com theholyspirit.com *.peoplekeys.com studentkeys.com; report-uri https://peoplekeys.report-uri.io/r/default/csp/enforce;" always;

The other browsers parse this correctly. I wonder if this is a bug I should file. I mean at least it should fail gracefully.

Emoñe’ẽ ko mbohavái ejeregua reheve 👍 0

Opaite Mbohovái (5)

more options

I don't see any explanation for it in Firefox. You could try some HTTP Logging to see whether you notice a difference between the two sites. The output is very verbose...

https://developer.mozilla.org/docs/Mozilla/Debugging/HTTP_logging

more options

I just updated both servers. They are now both running

nginx 1.13.6 Openssl 1.1.0f

reissued the certs and turned off must staple on both.

I will see if I can gleam anything from that HTTP_logging link.

more options

Ñemoĩporã poravopyre

Well that lead me to the issue and fix for sure!.

I noticed it got as far as processing the response headers in the logging (but didnt display them in the inspector tools). So i suspected the issue was there.

I saw this right after my CSP header was processed, and i suspected it was with my CSP headers. [Socket Thread]: I/nsHttp Http2Stream::ConvertResponseHeaders 0x12978f360 decode Error

I removed them from my config and sure enough it worked.

My CSP was multi-line, I removed the line breaks and added it back to my config and it worked.

So firefox will not correctly handle or fail gracefully on a multi-line CSP.

Broken:

   add_header Content-Security-Policy "
       default-src 'self' *.google.com *.youtube.com *.facebook.com *.fonts.google.com *.fonts.googleapis.com *.google-analytics.com *.googleapis.com cdnjs.cloudflare.com code.jquery.com connect.facebook.net *.imgur.com *.500px.com www.reddit.com www.flickr.com c1.staticflickr.com maxcdn.bootstrapcdn.com code.ionicframework.com cdn.fontawesome.com;
       script-src 'self' 'unsafe-inline' 'unsafe-eval' *.discinsights.com *.google-analytics.com ajax.googleapis.com *.facebook.net *.facebook.com *.addthis.com *.zoho.com *.zohostatic.com *.addthisedge.com *.braintreegateway.com www.vimeo.com vimeo.com *.vimeocdn.com;
       style-src 'self' 'unsafe-inline' *.discinsights.com *.googleapis.com *.zoho.com *.zohostatic.com *.zohopublic.com;
       img-src 'self' *.discinsights.com *.google-analytics.com *.facebook.com *.doubleclick.net *.google.com *.paypalobjects.com *.vimeocdn.com data:;
       connect-src 'self' *.discinsights.com *.facebook.com *.zoho.com *.zohopublic.com *.addthis.com wss://vts.zohopublic.com;
       font-src 'self' *.discinsights.com themes.googleusercontent.com fonts.gstatic.com *.zohostatic.com data:;
       object-src 'none';
       media-src 'self';
       form-action 'self' *.discinsights.com *.facebook.com *.zoho.com;
       frame-src *.discinsights.com *.expedia.com *.facebook.com *.zendesk.com *.addthis.com *.braintreegateway.com *.vimeo.com http://*.vimeo.com;
       frame-ancestors *.discinsights.com theholyspirit.com *.peoplekeys.com studentkeys.com;
       report-uri https://peoplekeys.report-uri.io/r/default/csp/enforce;
   " always;

Works:

   add_header Content-Security-Policy "default-src 'self' *.google.com *.youtube.com *.facebook.com *.fonts.google.com *.fonts.googleapis.com *.google-analytics.com *.googleapis.com cdnjs.cloudflare.com code.jquery.com connect.facebook.net *.imgur.com *.500px.com www.reddit.com www.flickr.com c1.staticflickr.com maxcdn.bootstrapcdn.com code.ionicframework.com cdn.fontawesome.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.discinsights.com *.google-analytics.com ajax.googleapis.com *.facebook.net *.facebook.com *.addthis.com *.zoho.com *.zohostatic.com *.addthisedge.com *.braintreegateway.com www.vimeo.com vimeo.com *.vimeocdn.com; style-src 'self' 'unsafe-inline' *.discinsights.com *.googleapis.com *.zoho.com *.zohostatic.com *.zohopublic.com; img-src 'self' *.discinsights.com *.google-analytics.com *.facebook.com *.doubleclick.net *.google.com *.paypalobjects.com *.vimeocdn.com data:; connect-src 'self' *.discinsights.com *.facebook.com *.zoho.com *.zohopublic.com *.addthis.com wss://vts.zohopublic.com; font-src 'self' *.discinsights.com themes.googleusercontent.com fonts.gstatic.com *.zohostatic.com data:; object-src 'none'; media-src 'self'; form-action 'self' *.discinsights.com *.facebook.com *.zoho.com; frame-src *.discinsights.com *.expedia.com *.facebook.com *.zendesk.com *.addthis.com *.braintreegateway.com *.vimeo.com http://*.vimeo.com; frame-ancestors *.discinsights.com theholyspirit.com *.peoplekeys.com studentkeys.com; report-uri https://peoplekeys.report-uri.io/r/default/csp/enforce;" always;

The other browsers parse this correctly. I wonder if this is a bug I should file. I mean at least it should fail gracefully.

more options

Yes, please file a bug. You may find when you start entering it that it's a duplicate, so you could search first (although that's often hit-or-miss).

https://bugzilla.mozilla.org/

more options

Bug 1411659 - Issue parsing CSP header