Bug#574635: xulrunner: cannot connect through a Bluecoat proxy with REDIRECT authentication

Josselin Mouette joss at debian.org
Wed Mar 24 11:40:18 UTC 2010


forwarded 574635 https://bugzilla.mozilla.org/show_bug.cgi?id=554612
thanks

Le mercredi 24 mars 2010 à 09:11 +0100, Mike Hommey a écrit :
> I think the sensible way to avoid this problem altogether is to setup
> your proxy configuration to not send requests to stupid.proxy and
> probably authentication.gateway through the proxy, either with a
> proxy.pac or with the No Proxy for box in the proxy preferences dialog.

I just did more testing today, and the behavior is not the same in all
cases. Especially, it will often answer to the first CONNECT request to
a specific site with a 403 forbidden page, and will only use 302 for
subsequent calls. The JS code on the 403 page gathers the full URI,
which is, well, actually exploiting the vulnerability since this
information should only be transmitted over SSL.

> Anyways, could you forward this upstream and report the bug number back?

Done.

Cheers,
-- 
 .''`.      Josselin Mouette
: :' :
`. `'   “A handshake with whitnesses is the same
  `-     as a signed contact.”  -- Jörg Schilling






More information about the pkg-mozilla-maintainers mailing list