Chrome intermittently unable to download PAC file, must be reset to default settings to resolve.
Reported by
grobinso...@googlemail.com,
Dec 14 2017
|
|||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36 Example URL: n/a Steps to reproduce the problem: 1. Configure Chrome via AD group policy to use a PAC file to access internet via Bluecoat proxy servers 2. Users occasionally experience failure to connect to internet in Chrome but other browsers on the same PC still work fine. 3. What is the expected behavior? chrome is able to download pac file and browse the internet What went wrong? We use a PAC file distributed through Active Directory to tell our browsers to use our proxy servers. Our firewall is configured to block any direct connections to the internet from users PC's, so browsers must use a proxy server to access the internet. This generally works fine, however we get occasional reports of Chrome displaying error “This site can’t be reached, the site took too long to respond, ERR_CONNECTION_TIMED_OUT ” When this problem is occuring if you try to manually download our PAC file in Chrome from that PC it will fail to download [no error, it just times out], however the PC can still manually download the PAC file in IE, and other PC’s running Chrome are still able to download the PAC file manually, so the problem is local to the Chrome browser on that specific PC. The only solution we have found is to reset Chrome to default settings and restart the browser, after which it works fine again. Some users experience this problem only once, others keep getting the same problem repeatedly over a period of weeks. Did this work before? N/A Chrome version: 63.0.3239.84 Channel: stable OS Version: 7 Flash Version: 28.0.0.126 I raised this fault in issue 788171 , however this was closed before I was able to upload the requested net log file. I have now uploaded the requested file [please see attached]
,
Dec 14 2017
Ryan, any idea why a request for the PAC script from pac.mycompany.com would get HSTS redirected, and only some of the time?
,
Dec 14 2017
Perhaps related to Issue 794674? As to why it would get HSTS redirected in any scenario, the most likely explanation based on the behavior described is that a prior visit to "https://mycompany.com" resulted in a response with a Strict-Transport-Security header with an includeSubdomainsDirective. Please visit this URL: chrome://net-internals/#hsts and type pac.mycompany.com in the box under Query HSTS/PKP domain and run the query.
,
Dec 14 2017
Respecting HSTS on the domain serving the PAC script (At least for requests not using the SystemURLRequestContext) is also a side effect of the CL that caused issue 794674. Now that the NetworkService sets up proxy configuration, we could switch back to using a separate global in-memory URLRequestContext to make proxy requests, but I'm not convinced we should. We'd still probably need an API to configure it, so it's not using different settings than other URLRequestContexts, and it increases memory overhead.
,
Dec 14 2017
I can't see Issue 794674. The weird thing is the requests alternated getting HSTS redirected, i.e. one got redirected, then one did not get redirected, then one got redirected. I didn't see any HSTS headers going by in the interim.
,
Dec 14 2017
HSTS is per-URLRequestContext. If some URLRequestContexts have seen an HSTS header for the domain, and some have not, they'll see different behaviors. They won't see each other's PAC scripts, so requests on one should always hang (Until the HSTS entry times out), while requests to the other will all work (Unless HSTS is later set on the domain in that URLREquestContext, in which case, it will start failing, too).
,
Dec 16 2017
Thanks for the report! I agree with comments #3, and #4: (a) This is a behavior change from issue 715697 , which launched in (M60) (b) HSTS was probably previously set on https://mycompany.com/ with includeSubdomainsDirective (c) Ergo it is not incorrect for pac.mycompany.com to require HTTPS (and subsequently fail because it is being filtered). I am closing this as WontFix on the basis that the HSTS situation for that server needs to be fixed to not includeSubdomainsDirective (or use a different host for the PAC script). There shouldn't be an expectation that PAC requests use an isolated HSTS store. PAC is already catastrophically unspecified, and we have no end of hacks. For comparison, Chrome's treatment of HTTP cache, cookies, HTTP auth, certificate revocation checks, connection pooling, etc, are also basically arbitrary implementation choices when it comes to PAC.
,
Dec 18 2017
Could you confirm if Chrome attempts to download the PAC file every time it is opened? Or does it cache the PAC file for a set period of time? I have checked mycompany.com in chrome://net-internals/#hsts and it does indeed show mycompany.com as a dynamic STS domain with include_subdomains set to true. However I would have thought I could now recreate this fault on demand by visiting https://mycompany.com and then opening a new window, however I have not been able to do this, after visiting https://mycompany.com I can still use Chrome to browse the internet without this fault occuring.
,
Dec 18 2017
We always bypass the HTTP cache when fetching PAC scripts. We don't re-download the PAC script for every HTTP[S] request once Chrome is started, of course, since that would destroy performance, though we do periodically fetch it again. I'm not familiar with the HSTS code. It may be that we don't block network requests on loading HSTS information from disk (i.e., it may be possible that the network request is being sent before HSTS data is loaded).
,
Dec 27 2017
Go to chrome://net-internals/#proxy and click the "Re-apply settings" button. This will cause Chrome to re-fetch the PAC file, if you need to test things. The exact time when PAC is fetched, and when it is refreshed for changes, may otherwise appear arbitrary, as there are a complicated set of polices around it. |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by pauljensen@chromium.org
, Dec 14 2017