Website not working with firefox on multiple computers
I have a website (https://discinsights.com) It works on other browsers but not in firefox. I cannot figure out why.
It is crashing somewhere in the SSL/TLS process. In the network tab of the developer tools I can see the request and it stops during the TLS Setup phase, but it gets the SSL Cert.
I am running the site with Nginx 1.13.3 Openssl 1.1.0f and certs signed by Lets Encrypt. At first I thought it was an OCSP must staple issue, I re-issued the certs without must-staple, and then disabled the stapling in nginx and it still won't load.
It stops at blank page. Whatever was there before is still the dominant page and reload clears out the url and loads the old page.
This happens on v49 (windows), v56.0 (32-bit) on windows 10, and v56.0.1 on OSX High Sierra.
The site is a Magento v2.1.8 store, but i doubt that is the issue since its not even getting to that point in the loading process.
The webserver is reporting a 200 status in the log. 173.239.230.43 - - [25/Oct/2017:09:05:58 -0400] "GET / HTTP/2.0" 200 20120 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0" "-" 24.154.8.253 - - [25/Oct/2017:09:08:00 -0400] "GET / HTTP/2.0" 200 20120 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:56.0) Gecko/20100101 Firefox/56.0" "-"
I am at a complete loss here as to why it is not working. Any help would be appreciated!
The odd thing is I have another web site (https://free.peoplekeys.com) on a separate server, set up the same way (differences: php v7.1 and nginx 1.13.2 instead of php v7.0 and nginx 1.13.3) and it works fine in firefox. . Also from lets encrypt. On that one OCSP must staple and nginx stapling is enabled, no problems.
Chosen solution
Well that lead me to the issue and fix for sure!.
I noticed it got as far as processing the response headers in the logging (but didnt display them in the inspector tools). So i suspected the issue was there.
I saw this right after my CSP header was processed, and i suspected it was with my CSP headers. [Socket Thread]: I/nsHttp Http2Stream::ConvertResponseHeaders 0x12978f360 decode Error
I removed them from my config and sure enough it worked.
My CSP was multi-line, I removed the line breaks and added it back to my config and it worked.
So firefox will not correctly handle or fail gracefully on a multi-line CSP.
Broken:
add_header Content-Security-Policy "
default-src 'self' *.google.com *.youtube.com *.facebook.com *.fonts.google.com *.fonts.googleapis.com *.google-analytics.com *.googleapis.com cdnjs.cloudflare.com code.jquery.com connect.facebook.net *.imgur.com *.500px.com www.reddit.com www.flickr.com c1.staticflickr.com maxcdn.bootstrapcdn.com code.ionicframework.com cdn.fontawesome.com;
script-src 'self' 'unsafe-inline' 'unsafe-eval' *.discinsights.com *.google-analytics.com ajax.googleapis.com *.facebook.net *.facebook.com *.addthis.com *.zoho.com *.zohostatic.com *.addthisedge.com *.braintreegateway.com www.vimeo.com vimeo.com *.vimeocdn.com;
style-src 'self' 'unsafe-inline' *.discinsights.com *.googleapis.com *.zoho.com *.zohostatic.com *.zohopublic.com;
img-src 'self' *.discinsights.com *.google-analytics.com *.facebook.com *.doubleclick.net *.google.com *.paypalobjects.com *.vimeocdn.com data:;
connect-src 'self' *.discinsights.com *.facebook.com *.zoho.com *.zohopublic.com *.addthis.com wss://vts.zohopublic.com;
font-src 'self' *.discinsights.com themes.googleusercontent.com fonts.gstatic.com *.zohostatic.com data:;
object-src 'none';
media-src 'self';
form-action 'self' *.discinsights.com *.facebook.com *.zoho.com;
frame-src *.discinsights.com *.expedia.com *.facebook.com *.zendesk.com *.addthis.com *.braintreegateway.com *.vimeo.com http://*.vimeo.com;
frame-ancestors *.discinsights.com theholyspirit.com *.peoplekeys.com studentkeys.com;
report-uri https://peoplekeys.report-uri.io/r/default/csp/enforce;
" always;
Works:
add_header Content-Security-Policy "default-src 'self' *.google.com *.youtube.com *.facebook.com *.fonts.google.com *.fonts.googleapis.com *.google-analytics.com *.googleapis.com cdnjs.cloudflare.com code.jquery.com connect.facebook.net *.imgur.com *.500px.com www.reddit.com www.flickr.com c1.staticflickr.com maxcdn.bootstrapcdn.com code.ionicframework.com cdn.fontawesome.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.discinsights.com *.google-analytics.com ajax.googleapis.com *.facebook.net *.facebook.com *.addthis.com *.zoho.com *.zohostatic.com *.addthisedge.com *.braintreegateway.com www.vimeo.com vimeo.com *.vimeocdn.com; style-src 'self' 'unsafe-inline' *.discinsights.com *.googleapis.com *.zoho.com *.zohostatic.com *.zohopublic.com; img-src 'self' *.discinsights.com *.google-analytics.com *.facebook.com *.doubleclick.net *.google.com *.paypalobjects.com *.vimeocdn.com data:; connect-src 'self' *.discinsights.com *.facebook.com *.zoho.com *.zohopublic.com *.addthis.com wss://vts.zohopublic.com; font-src 'self' *.discinsights.com themes.googleusercontent.com fonts.gstatic.com *.zohostatic.com data:; object-src 'none'; media-src 'self'; form-action 'self' *.discinsights.com *.facebook.com *.zoho.com; frame-src *.discinsights.com *.expedia.com *.facebook.com *.zendesk.com *.addthis.com *.braintreegateway.com *.vimeo.com http://*.vimeo.com; frame-ancestors *.discinsights.com theholyspirit.com *.peoplekeys.com studentkeys.com; report-uri https://peoplekeys.report-uri.io/r/default/csp/enforce;" always;
The other browsers parse this correctly. I wonder if this is a bug I should file. I mean at least it should fail gracefully.
Read this answer in context 👍 0All Replies (5)
I don't see any explanation for it in Firefox. You could try some HTTP Logging to see whether you notice a difference between the two sites. The output is very verbose...
https://developer.mozilla.org/docs/Mozilla/Debugging/HTTP_logging
I just updated both servers. They are now both running
nginx 1.13.6 Openssl 1.1.0f
reissued the certs and turned off must staple on both.
I will see if I can gleam anything from that HTTP_logging link.
Chosen Solution
Well that lead me to the issue and fix for sure!.
I noticed it got as far as processing the response headers in the logging (but didnt display them in the inspector tools). So i suspected the issue was there.
I saw this right after my CSP header was processed, and i suspected it was with my CSP headers. [Socket Thread]: I/nsHttp Http2Stream::ConvertResponseHeaders 0x12978f360 decode Error
I removed them from my config and sure enough it worked.
My CSP was multi-line, I removed the line breaks and added it back to my config and it worked.
So firefox will not correctly handle or fail gracefully on a multi-line CSP.
Broken:
add_header Content-Security-Policy "
default-src 'self' *.google.com *.youtube.com *.facebook.com *.fonts.google.com *.fonts.googleapis.com *.google-analytics.com *.googleapis.com cdnjs.cloudflare.com code.jquery.com connect.facebook.net *.imgur.com *.500px.com www.reddit.com www.flickr.com c1.staticflickr.com maxcdn.bootstrapcdn.com code.ionicframework.com cdn.fontawesome.com;
script-src 'self' 'unsafe-inline' 'unsafe-eval' *.discinsights.com *.google-analytics.com ajax.googleapis.com *.facebook.net *.facebook.com *.addthis.com *.zoho.com *.zohostatic.com *.addthisedge.com *.braintreegateway.com www.vimeo.com vimeo.com *.vimeocdn.com;
style-src 'self' 'unsafe-inline' *.discinsights.com *.googleapis.com *.zoho.com *.zohostatic.com *.zohopublic.com;
img-src 'self' *.discinsights.com *.google-analytics.com *.facebook.com *.doubleclick.net *.google.com *.paypalobjects.com *.vimeocdn.com data:;
connect-src 'self' *.discinsights.com *.facebook.com *.zoho.com *.zohopublic.com *.addthis.com wss://vts.zohopublic.com;
font-src 'self' *.discinsights.com themes.googleusercontent.com fonts.gstatic.com *.zohostatic.com data:;
object-src 'none';
media-src 'self';
form-action 'self' *.discinsights.com *.facebook.com *.zoho.com;
frame-src *.discinsights.com *.expedia.com *.facebook.com *.zendesk.com *.addthis.com *.braintreegateway.com *.vimeo.com http://*.vimeo.com;
frame-ancestors *.discinsights.com theholyspirit.com *.peoplekeys.com studentkeys.com;
report-uri https://peoplekeys.report-uri.io/r/default/csp/enforce;
" always;
Works:
add_header Content-Security-Policy "default-src 'self' *.google.com *.youtube.com *.facebook.com *.fonts.google.com *.fonts.googleapis.com *.google-analytics.com *.googleapis.com cdnjs.cloudflare.com code.jquery.com connect.facebook.net *.imgur.com *.500px.com www.reddit.com www.flickr.com c1.staticflickr.com maxcdn.bootstrapcdn.com code.ionicframework.com cdn.fontawesome.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.discinsights.com *.google-analytics.com ajax.googleapis.com *.facebook.net *.facebook.com *.addthis.com *.zoho.com *.zohostatic.com *.addthisedge.com *.braintreegateway.com www.vimeo.com vimeo.com *.vimeocdn.com; style-src 'self' 'unsafe-inline' *.discinsights.com *.googleapis.com *.zoho.com *.zohostatic.com *.zohopublic.com; img-src 'self' *.discinsights.com *.google-analytics.com *.facebook.com *.doubleclick.net *.google.com *.paypalobjects.com *.vimeocdn.com data:; connect-src 'self' *.discinsights.com *.facebook.com *.zoho.com *.zohopublic.com *.addthis.com wss://vts.zohopublic.com; font-src 'self' *.discinsights.com themes.googleusercontent.com fonts.gstatic.com *.zohostatic.com data:; object-src 'none'; media-src 'self'; form-action 'self' *.discinsights.com *.facebook.com *.zoho.com; frame-src *.discinsights.com *.expedia.com *.facebook.com *.zendesk.com *.addthis.com *.braintreegateway.com *.vimeo.com http://*.vimeo.com; frame-ancestors *.discinsights.com theholyspirit.com *.peoplekeys.com studentkeys.com; report-uri https://peoplekeys.report-uri.io/r/default/csp/enforce;" always;
The other browsers parse this correctly. I wonder if this is a bug I should file. I mean at least it should fail gracefully.
Yes, please file a bug. You may find when you start entering it that it's a duplicate, so you could search first (although that's often hit-or-miss).
Bug 1411659 - Issue parsing CSP header