On Tue, Mar 23, 2010 at 04:07:06PM +0100, Josselin Mouette wrote: > Le vendredi 19 mars 2010 à 17:36 +0100, Mike Hommey a écrit : > > On Fri, Mar 19, 2010 at 04:11:49PM +0100, Josselin Mouette wrote: > > > This happens since the fix for the following bug: > > > https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2009-1836 > > > > > > As comment #75 of said bug explains, it breaks the behavior of some > > > (arguably broken) proxies. When you issue a CONNECT command, they will > > > reply with a REDIRECT to a page that does the authentication. > > Actually a new analysis shows this is more complicated than that. > > So this is what happens when you request https://blah.blah/ > 1) The browser issues CONNECT blah.blah > 2) The proxy replies 302 found with a redirect to > https://stupid.proxy/blah.blah > 3) The browser issues CONNECT stupid.proxy > 4) The proxy replies 401 authorization required with some Javascript > code that does a redirect to https://authentication.gateway/blah.blah > > Then, the JS code used to be executed. Now it is not and you only get a > boilerplate page.
I think the sensible way to avoid this problem altogether is to setup your proxy configuration to not send requests to stupid.proxy and probably authentication.gateway through the proxy, either with a proxy.pac or with the No Proxy for box in the proxy preferences dialog. Anyways, could you forward this upstream and report the bug number back? Cheers Mike -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
