Invalid ERR_UNSAFE_REDIRECT
Reported by
sdorof...@distillery.com,
Apr 28 2018
|
||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36 OPR/52.0.2871.64 Steps to reproduce the problem: I'm fixing now SSO bug, which appears on Chrome v.65-66. The case: we have a chrome extension with implemented SSO login. The process is: 1. Chrome extension performs redirect (opens a new tab) to our site SSO page. We pass encoded email and finish url as a query parameters; 2. SSO page redirects to SSO server and a user performs authorization there. 3. After response is ready SSO server performs redirect back to our site with corresponded token as a query parameter. 4. After the response is processed with our site, the redirect is performed to chrome extension and we're able to get the result of auth process. The problem: after step 3 (before step 4) Chrome blocks the redirect and shows the message: This site can’t be reached The webpage at <page> might be temporarily down or it may have moved permanently to a new web address. ERR_UNSAFE_REDIRECT The url of the <page> is correct and it work ok, but Chrome blocks the request to the url. On previous Chrome versions everything seems to work fine, but v. 65-66 breaks everything. How could it be fixed? Is there any idea? What is the expected behavior? The redirect should be performed correctly. What went wrong? Redirect is blocked by Chrome. Did this work before? No Does this work in other browsers? N/A Chrome version: 65.0.3325.181 Channel: n/a OS Version: 10.0 Flash Version: Shockwave Flash 29.0 r0
,
Apr 30 2018
Please collect and attach a chrome://net-export log. Instructions can be found here: https://sites.google.com/a/chromium.org/dev/for-testers/providing-network-details
,
May 3 2018
Thank you for providing more feedback. Adding the requester to the cc list. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 7 2018
,
May 7 2018
Chrome Networking triager here. Thanks for providing more information! The netlog shows that SSO server returns redirect to chrome-extension://ioghfegaheoikeoanfehmnndejejkobl/html/app-dialog-sso-finish.html?_=1525326793138&result=/token/hBpXC40oDzU1WRghKuyt0rNPZ9sT9eRUASVhcdEbXt8EMs9FMga6KKqnMbU159Iv According to https://cs.chromium.org/chromium/src/net/url_request/url_request_http_job.cc?l=1249 only "http" and "https" schemes are considered safe by default. Is it possible that chrome-extension:// is no longer considered a safe redirect target? t=11548 [st= 993] +HTTP_TRANSACTION_READ_HEADERS [dt=616] t=11548 [st= 993] HTTP_STREAM_PARSER_READ_HEADERS [dt=616] t=12164 [st=1609] HTTP_TRANSACTION_READ_RESPONSE_HEADERS --> HTTP/1.1 302 Found Cache-Control: private Transfer-Encoding: chunked Content-Type: text/html; charset=utf-8 Location: chrome-extension://ioghfegaheoikeoanfehmnndejejkobl/html/app-dialog-sso-finish.html?_=1525326793138&result=/token/hBpXC40oDzU1WRghKuyt0rNPZ9sT9eRUASVhcdEbXt8EMs9FMga6KKqnMbU159Iv Server: Set-Cookie: [75 bytes were stripped] X-Frame-Options: SAMEORIGIN Content-Security-Policy: frame-ancestors 'self' X-Powered-By: Date: Thu, 03 May 2018 05:53:19 GMT Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff t=12164 [st=1609] -HTTP_TRANSACTION_READ_HEADERS t=12165 [st=1610] HTTP_CACHE_WRITE_INFO [dt=0] t=12165 [st=1610] HTTP_CACHE_WRITE_DATA [dt=0] t=12165 [st=1610] HTTP_CACHE_WRITE_INFO [dt=0] t=12165 [st=1610] URL_REQUEST_DELEGATE [dt=0] t=12165 [st=1610] FAILED --> net_error = -311 (ERR_UNSAFE_REDIRECT) t=12165 [st=1610] -URL_REQUEST_START_JOB --> net_error = -311 (ERR_UNSAFE_REDIRECT) t=12166 [st=1611] URL_REQUEST_DELEGATE [dt=0] t=12166 [st=1611] -REQUEST_ALIVE --> net_error = -311 (ERR_UNSAFE_REDIRECT)
,
May 9 2018
Punting to the extensions team - it's up to the registered job factory (For chrome-extension URLs) to determine if it's safe to redirect to URLs of that type.
,
May 9 2018
,
May 11 2018
Unable to triage this issue from TE-End, hence adding TE-NeedsTriageHelp label for further triage
,
May 11 2018
Hey all, We've also seen this reported on the community forum and stack overflow, so adding the conops hotlist (even though it seems to be enterprise-focused). - https://productforums.google.com/d/msg/chrome/NIlcl7hf6oo/YvRWzMJlCAAJ - https://stackoverflow.com/questions/50074908/chrome-err-unsafe-redirect-on-sso# Thanks!
,
May 11 2018
The Chrome Forum 5/11 (PST) post https://productforums.google.com/d/msg/chrome/NIlcl7hf6oo/YvRWzMJlCAAJ is a duplicate of this bug 837909 description, except for the stackoverflow sso ref. A similar problem with Sharepoint signon intermediate redirects was posted in the Chrome Forum 5/10 yesterday https://productforums.google.com/d/msg/chrome/NIlcl7hf6oo/A3dkM-6SAgAJ
,
May 23 2018
I believe it is affecting chromium shipped in Ubuntu-18.04 LTS, even with '--disable-web-security' flag ...
,
Jul 12
Is there any update on this issue or any ETA for fix ? It seems issue still persist with version 67...
,
Sep 20
+1. This is blocking my Chrome Extension getting the user signed in using Azure Active Directory because the redirect after sign-in is blocked.
,
Sep 21
I found out that I need to add the html page used in `redirectUri` to the `web_accessible_resources` array in my `manifest.json` file, as [documented here](https://developer.chrome.com/extensions/manifest/web_accessible_resources). |
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by krajshree@chromium.org
, Apr 30 2018