X
Tap here to go to the mobile version of the site.

Support Forum

Recent firefox upgrade gieves me an authorization error on my framed site.

Posted

Recent Firefox upgrade (40.0.2) gives me an authorization error on my framed site.

I have a site http://calendar.shaw-weil.com/ which is nothing but a frame. See below

When I click a date number I now get Authorization Required You need a userid and password for accessing this calendar

I use to, and if I go to http://128.2.204.57:5555/default and click a date i get a web authorization pop-up saying A username and password are being requested by http://128.2.204.57:5555. The site says: "iCal Login"

What changed? and is there an option to disable it?

Thanks in advance for your time Roy


<title>Mary and Roys Calendar</title> <meta content="" name="keywords"> <meta content="" name="description"> <meta content="text/html; charset=UTF-8" http-equiv="content-type"> <noframes> <body>

Mary and Roys Calendar

http://calendar.shaw-weil.com/

</body> </noframes>

Recent Firefox upgrade (40.0.2) gives me an authorization error on my framed site. I have a site http://calendar.shaw-weil.com/ which is nothing but a frame. See below When I click a date number I now get Authorization Required You need a userid and password for accessing this calendar I use to, and if I go to http://128.2.204.57:5555/default and click a date i get a web authorization pop-up saying A username and password are being requested by http://128.2.204.57:5555. The site says: "iCal Login" What changed? and is there an option to disable it? Thanks in advance for your time Roy <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Frameset//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-frameset.dtd"> <html> <head> <title>Mary and Roys Calendar</title> <meta name="keywords" content="" /> <meta name="description" content="" /> <meta http-equiv="content-type" content="text/html; charset=UTF-8" /> </head> <frameset rows="100%"> <frame src="http://128.2.204.57:5555/default" title="Mary and Roys Calendar" frameborder="0" noresize="noresize"/> <noframes> <body> <h1>Mary and Roys Calendar</h1> <p><a href="http://128.2.204.57:5555/default">http://calendar.shaw-weil.com/</a></p> </body> </noframes> </frameset> </html>

Chosen solution

There is a way to undo this change in your Firefox if you like. As long as you are suspicious of this prompt appearing on other sites than your own.

(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful.

(2) In the search box above the list, type or paste auth and pause while the list is filtered

(3) Double-click the network.auth.allow-subresource-auth preference and edit the 1 to a 2 and click OK

  • 1 shows the login dialog only for framed pages, images, etc., hosted on the same site
  • 2 allows the login dialog for framed pages, images, etc., hosted on any site

When I test the change, it worked. I still think it's bad that it's not a secure connection.

Read this answer in context 2

Additional System Details

Installed Plug-ins

  • ActiveTouch General Plugin Container Version 105
  • Adobe PDF Plug-In For Firefox and Netscape 11.0.10
  • Adobe PDF Plug-In For Firefox and Netscape "9.5.5"
  • A plugin to detect whether the Adobe Application Manager is installed on this machine.
  • A plugin to detect whether the Adobe Extension Manager is installed on this machine.
  • GEPlugin
  • Google Update
  • NPRuntime Script Plug-in Library for Java(TM) Deploy
  • Next Generation Java Plug-in 10.71.2 for Mozilla browsers
  • Office Authorization plug-in for NPAPI browsers
  • The plug-in allows you to open and edit files using Microsoft Office applications
  • DRM Store Netscape Plugin
  • DRM Netscape Network Object
  • Photosynth 2.110.317.1042
  • The QuickTime Plugin allows you to view a wide variety of multimedia content in Web pages. For more information, visit the QuickTime Web site.
  • Shockwave Flash 18.0 r0
  • 5.1.30514.0
  • VLC media player Web Plugin
  • Npdsplay dll
  • Windows Presentation Foundation (WPF) plug-in for Mozilla browsers
  • iTunes Detector Plug-in

Application

  • Firefox 40.0.2
  • User Agent: Mozilla/5.0 (Windows NT 5.1; rv:40.0) Gecko/20100101 Firefox/40.0
  • Support URL: https://support.mozilla.org/1/firefox/40.0.2/WINNT/en-US/

Extensions

  • Clear Cache 2.0.1.1-signed (clearcache@michel.de.almeida)
  • Come back "Block image from ad.sites" 0.7 (come.back.block.image.from@cat-in-136.blogspot.com)
  • iMacros for Firefox 8.9.2.1-signed ({81BF1D23-5F17-408D-AC6B-BD6DF7CAF670})
  • Mass Password Reset 1.05.1-signed (masspasswordreset@johnathan.nightingale)
  • Adblock Plus 2.6.10 ({d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}) (Inactive)
  • Adobe Contribute Toolbar 6.0 ({01A8CA0A-4C96-465b-A49B-65C46FAD54F9}) (Inactive)
  • Microsoft .NET Framework Assistant 0.0.0 ({20a82645-c095-46ed-80e3-08825760534b}) (Inactive)
  • Webroot Filtering Extension 1.1.0.59 (webrootsecure@webroot.com) (Inactive)

Javascript

  • incrementalGCEnabled: True

Graphics

  • adapterDescription: NVIDIA GeForce 6800
  • adapterDescription2:
  • adapterDeviceID: 0x00c1
  • adapterDeviceID2:
  • adapterDrivers: nv4_disp
  • adapterDrivers2:
  • adapterRAM: Unknown
  • adapterRAM2:
  • adapterSubsysID: 024510de
  • adapterSubsysID2:
  • adapterVendorID: 0x10de
  • adapterVendorID2:
  • direct2DEnabled: False
  • direct2DEnabledMessage: [u'']
  • directWriteEnabled: False
  • directWriteVersion: 0.0.0.0
  • driverDate: 1-31-2013
  • driverDate2:
  • driverVersion: 6.14.13.783
  • driverVersion2:
  • info: {u'AzureCanvasBackend': u'skia', u'AzureFallbackCanvasBackend': u'cairo', u'AzureContentBackend': u'cairo', u'AzureSkiaAccelerated': 0}
  • isGPU2Active: False
  • numAcceleratedWindows: 3
  • numTotalWindows: 3
  • supportsHardwareH264: False
  • webglRenderer: Google Inc. -- ANGLE (NVIDIA GeForce 6800 Direct3D9 vs_3_0 ps_3_0)
  • windowLayerManagerRemote: True
  • windowLayerManagerType: Direct3D 9

Modified Preferences

Misc

  • User JS: No
  • Accessibility: Yes
jscher2000
  • Top 10 Contributor
8688 solutions 71030 answers

I'm not seeing the problem on Windows 7. Here's what I suggest:

(1) In case this is a problem with cached files, clear Firefox's cache. See: How to clear the Firefox cache. If you have a large hard drive, this might take a couple minutes to complete.

Then reload the site (Ctrl+r). Any improvement?

(2) In case this is a problem with a corrupted cookie, clear cookies for both the "outer" site and the "inner site". The easiest way is to load each in turn and use the Page Info dialog to get to the cookie list. Either:

  • right-click and choose View Page Info > Security > "View Cookies"
  • (menu bar) Tools > Page Info > Security > "View Cookies"
  • click the padlock or globe icon in the address bar > More Information > "View Cookies"

In the dialog that opens, you can remove the site's cookies individually.

Then repeat with the second site, and reload. Success?

If that doesn't help, we can check issues such as:

  • are cookies blocked?
  • is the referring site information blocked?
  • is this a sign from the universe that you should take a little time off?
I'm not seeing the problem on Windows 7. Here's what I suggest: (1) In case this is a problem with cached files, clear Firefox's cache. See: [[How to clear the Firefox cache]]. If you have a large hard drive, this might take a couple minutes to complete. Then reload the site (Ctrl+r). Any improvement? (2) In case this is a problem with a corrupted cookie, clear cookies for both the "outer" site and the "inner site". The easiest way is to load each in turn and use the Page Info dialog to get to the cookie list. Either: * right-click and choose View Page Info > Security > "View Cookies" * (menu bar) Tools > Page Info > Security > "View Cookies" * click the padlock or globe icon in the address bar > More Information > "View Cookies" In the dialog that opens, you can remove the site's cookies individually. Then repeat with the second site, and reload. Success? If that doesn't help, we can check issues such as: * are cookies blocked? * is the referring site information blocked? * is this a sign from the universe that you should take a little time off?

Question owner

Cleared cache, cleared cookies both sites. cleared saved passwords.

No Joy

The same started happening on a Windows 7 machines as well. i.e it just started happening, and the only known upgrade was to Firefox

Further note. If I go to the 128... site and log in, then I can go to the Calendar site and get in with no further authorization.

so the answers to sub questions 1 and 2 is nothing is blocked. the answer to sub question 3 is dont I wish

Roy

Cleared cache, cleared cookies both sites. cleared saved passwords. No Joy The same started happening on a Windows 7 machines as well. i.e it just started happening, and the only known upgrade was to Firefox Further note. If I go to the 128... site and log in, then I can go to the Calendar site and get in with no further authorization. so the answers to sub questions 1 and 2 is nothing is blocked. the answer to sub question 3 is dont I wish Roy
jscher2000
  • Top 10 Contributor
8688 solutions 71030 answers

Hi Roy, does it make any difference if you use a private window? Assuming you are in a regular session now, the private window should look like a different user to the site. To load that, you can right-click the link in your original question and use Open Link in New Private Window, or use Ctrl+Shift+p to launch the window and then go to the calendar as you usually do.

Hi Roy, does it make any difference if you use a private window? Assuming you are in a regular session now, the private window should look like a different user to the site. To load that, you can right-click the link in your original question and use Open Link in New Private Window, or use Ctrl+Shift+p to launch the window and then go to the calendar as you usually do.
jscher2000
  • Top 10 Contributor
8688 solutions 71030 answers

I'm sorry, I did not test correctly before, I clicked an appointment link, not a date link. When I click a date link, I get the same message.

I'm sorry, I did not test correctly before, I clicked an appointment link, not a date link. When I click a date link, I get the same message.
jscher2000
  • Top 10 Contributor
8688 solutions 71030 answers

When I click a date link, it calls an edit command, so naturally that is subject to authentication. So we return to the question is why it worked in earlier versions of Firefox and not in Firefox 40?

I can understand why Firefox does not pop up the two line login dialog for a framed page, to avoid deception by embedded frames designed to capture your credentials for a different site. Was that a change in Firefox 40, or is the change that iCal isn't remembering that you are logged in?

By the way, I would not enter your password in the dialog from http://128.2.204.57:5555/default because it is not a secure connection. Someone with access to your request anywhere along the network between you and iCal could learn your password that way.

Hopefully there's another way to make this work.

When I click a date link, it calls an edit command, so naturally that is subject to authentication. So we return to the question is why it worked in earlier versions of Firefox and not in Firefox 40? I can understand why Firefox does not pop up the two line login dialog for a framed page, to avoid deception by embedded frames designed to capture your credentials for a different site. Was that a change in Firefox 40, or is the change that iCal isn't remembering that you are logged in? By the way, I would not enter your password in the dialog from http://128.2.204.57:5555/default because it is not a secure connection. Someone with access to your request anywhere along the network between you and iCal could learn your password that way. Hopefully there's another way to make this work.

Question owner

Ical appears to be remembering that I log in, because

If I go to the 128... site and log in, then I can go back to the Calendar... site and do the edits with no further authorization.

New Private Window is also No Joy.

Is there a change log someplace for Firefox?

Also unfortunately ical is an executable acting as a web server which is why the :5555. So no help there looking at the internals.

Roy

Ical appears to be remembering that I log in, because If I go to the 128... site and log in, then I can go back to the Calendar... site and do the edits with no further authorization. New Private Window is also No Joy. Is there a change log someplace for Firefox? Also unfortunately ical is an executable acting as a web server which is why the :5555. So no help there looking at the internals. Roy
jscher2000
  • Top 10 Contributor
8688 solutions 71030 answers

rweil said

Is there a change log someplace for Firefox?

Sort of. On the Release Notes page you'll see a link to a complete list of changes in the release. This queries the bug tracking system for the hundreds of different issues addressed: https://www.mozilla.org/firefox/40.0.2/releasenotes/

''rweil [[#answer-769398|said]]'' <blockquote> Is there a change log someplace for Firefox? </blockquote> Sort of. On the Release Notes page you'll see a link to a complete list of changes in the release. This queries the bug tracking system for the hundreds of different issues addressed: https://www.mozilla.org/firefox/40.0.2/releasenotes/
jscher2000
  • Top 10 Contributor
8688 solutions 71030 answers

Looks like it is a change to stop showing the login dialog for framed pages:

"Users can be fooled into typing their credentials into HTTP authentication dialogs from other (potentially attacker-controlled) web sites if an attacker can inject content protected by HTTP auth into a legitimate site. Sub-document resources like images, scripts, iframes, etc. should not be able to cause this dialog, possibly in any case, but certainly in cases where the resource is in a different origin."

Source: Bug #647010 – Only present HTTP authentication dialogs if it is the top-level document initiating the auth.

A lot of angry/frustrated comments at the end, but really the solution would be to file a new bug proposing a better user interface for the authentication request.

Looks like it is a change to stop showing the login dialog for framed pages: "Users can be fooled into typing their credentials into HTTP authentication dialogs from other (potentially attacker-controlled) web sites if an attacker can inject content protected by HTTP auth into a legitimate site. Sub-document resources like images, scripts, iframes, etc. should not be able to cause this dialog, possibly in any case, but certainly in cases where the resource is in a different origin." Source: [https://bugzilla.mozilla.org/show_bug.cgi?id=647010 Bug #647010 – Only present HTTP authentication dialogs if it is the top-level document initiating the auth]. A lot of angry/frustrated comments at the end, but really the solution would be to file a new bug proposing a better user interface for the authentication request.
jscher2000
  • Top 10 Contributor
8688 solutions 71030 answers

Chosen Solution

There is a way to undo this change in your Firefox if you like. As long as you are suspicious of this prompt appearing on other sites than your own.

(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful.

(2) In the search box above the list, type or paste auth and pause while the list is filtered

(3) Double-click the network.auth.allow-subresource-auth preference and edit the 1 to a 2 and click OK

  • 1 shows the login dialog only for framed pages, images, etc., hosted on the same site
  • 2 allows the login dialog for framed pages, images, etc., hosted on any site

When I test the change, it worked. I still think it's bad that it's not a secure connection.

There is a way to undo this change in your Firefox if you like. As long as you are suspicious of this prompt appearing on other sites than your own. (1) In a new tab, type or paste '''about:config''' in the address bar and press Enter/Return. Click the button promising to be careful. (2) In the search box above the list, type or paste '''auth''' and pause while the list is filtered (3) Double-click the '''network.auth.allow-subresource-auth''' preference and edit the 1 to a 2 and click OK * 1 shows the login dialog only for framed pages, images, etc., ''hosted on '''the same site''''' * 2 allows the login dialog for framed pages, images, etc., ''hosted on '''any site''''' When I test the change, it worked. ''I still think it's bad that it's not a secure connection.''

Question owner

Thanks for the prompt replies. doing the about:config ... workaround worked for me.

I have submitted a request to ICal for a fix. both to this problem and to https:

Thanks for the prompt replies. doing the about:config ... workaround worked for me. I have submitted a request to ICal for a fix. both to this problem and to https: