Sites using kerberos fails to refresh

[thnilsen]

We've got some internal systems running on Apache that uses Kerberos against our AD. One of these system is Nagios.
When Noscript is enabled any site which users kerberos will at some point fail to finish loading - and Firefox will give show the "Transferring data from ....". So any page which auto refreshes will fail to do so once this issue occurs. It usually only takes about 3-5 reloads of one of these pages to generate this issue.

Do anyone know of a fix for this?

Regards,
Thomas

[barbaz]

When it fails, do you see anything related in the Browser Console? (Ctrl-Shift-J)
(if you don't know what's related, turn off CSS warnings and post everything else you see)

[Guest]

Here is the log from console - all options enabled - but nothing that would help on this issue. Initial opening of the page was successful and the page is loaded in full. A refresh on the page produces the symptom. The content of the page is refreshed, but Firefox just fails to finish loading for whatwever reason. The browser console shows the same entires for both the successful load and the failed load.

reflow: 0.45ms
reflow: 0.36ms
reflow: 0.27ms
GET https://server01.domain.local/test/ [HTTP/1.1 401 Authorization Required 70ms]
reflow: 0.18ms function _calcMouseTargetRect, tabbrowser.xml line 5039
GET https://server01.domain.local/test/ [HTTP/1.1 200 OK 40ms]
reflow: 0.18ms
reflow: 1.29ms function _calcMouseTargetRect, tabbrowser.xml line 5039
reflow: 0.18ms
reflow: 0.18ms
GET https://server01.domain.local/test/index.php [HTTP/1.1 401 Authorization Required 50ms]
GET https://server01.domain.local/test/index.php [HTTP/1.1 401 Authorization Required 50ms]
GET https://server01.domain.local/test/index.php [HTTP/1.1 200 OK 30ms]
GET https://server01.domain.local/test/index.php [HTTP/1.1 200 OK 30ms]
reflow: 0.22ms
GET https://server01.domain.local/favicon.ico [HTTP/1.1 404 Not Found 50ms]
GET https://server01.domain.local/favicon.ico [HTTP/1.1 404 Not Found 70ms]
------------------------- First load was OK-------------------------
reflow: 0.18ms
reflow: 0.21ms
reflow: 0.52ms
reflow: 0.33ms
reflow: 0.3ms
GET https://server01.domain.local/test/ [HTTP/1.1 401 Authorization Required 70ms]
reflow: 0.16ms function _calcMouseTargetRect, tabbrowser.xml line 5039
GET https://server01.domain.local/test/ [HTTP/1.1 200 OK 30ms]
reflow: 0.07ms function _calcMouseTargetRect, tabbrowser.xml line 5039
reflow: 0.15ms
GET https://server01.domain.local/test/index.php [HTTP/1.1 401 Authorization Required 50ms]
GET https://server01.domain.local/test/index.php [HTTP/1.1 401 Authorization Required 50ms]
GET https://server01.domain.local/test/index.php [HTTP/1.1 200 OK 10ms]
GET https://server01.domain.local/test/index.php [HTTP/1.1 200 OK 10ms]
------------------------- Refreshing the pages causes a halt/stop-------------------------

[barbaz]

Do you have access to the server logs? and if so, is there anything that might be indicating the problem there?

[Thrawn]

Maybe a silly question, but are the affected sites script-allowed?

[Guest]

The entire domain is whitelisted in NoScript.

Logs from the server shows no errors. The two first sections shows a successful load, while the last one hangs. No difference on the server side.

192.168.9.1 - - [22/Sep/2014:10:10:01 +0200] "GET /test/ HTTP/1.1" 401 489
192.168.9.1 - user@DOMAIN.LOCAL[22/Sep/2014:10:10:02 +0200] "GET /test/ HTTP/1.1" 200 10

192.168.9.1 - - [22/Sep/2014:10:10:08 +0200] "GET /test/ HTTP/1.1" 401 489
192.168.9.1 - user@DOMAIN.LOCAL[22/Sep/2014:10:10:08 +0200] "GET /test/ HTTP/1.1" 200 10

192.168.9.1 - - [22/Sep/2014:10:10:11 +0200] "GET /test/ HTTP/1.1" 401 489
192.168.9.1 - user@DOMAIN.LOCAL[22/Sep/2014:10:10:11 +0200] "GET /test/ HTTP/1.1" 200 10

I believe the page is loaded but the browser does not complete whatever internal tasks it needs , hence the failure. I've tried to run a few session with the NSPR_LOG_MODULES variable set, but have not yet been able to find any modules that could help trace the issue.

[Giorgio Maone]

Please try to start Firefox with the "-console" command line argument, set the noscript.consoleDump about:config preference to 65336 and watch if anything interesting appears in the terminal window which will be attached to Firefox when the problem happens.

[Guest]

Thanks for the help so far guys! With the console output I was able to track down the problem to the ABE module. With this enabled the page loads will failed eventually. Once
I disable it the page loads as expected and can be reloaded without hanging.

This is the output of the console based for a re-load that hangs:

***FAILED***

[NoScript] https://server01.domain.local/test/ *** Top level document, resetting former untrusted browser info
[NoScript] https://server01.domain.local/test/ *** ORIGIN: chrome://browser/content/browser.xul
[NoScript] https://server01.domain.local/test/ *** Top level document, resetting former untrusted browser info
[NoScript InjectionChecker] test/ - LINES: 1918, 2045, 2000, 823, 161, 2720, 162, 1393, 0
[NoScript InjectionChecker] ///test/ - LINES: 1790, 2054, 2049, 2000, 823, 161, 2720, 162, 1393, 0
[ABE] Using cached DNS record for server01.domain.local
[ABE] DNS query on server01.domain.local done, 0ms
[ABE] Checking #127: https://server01.domain.local/test/ from chrome://browser/content/browser.xul - 6883328
[ABE] Site LOCAL
Accept from LOCAL
Deny
[ABE] {GET https://server01.domain.local/test/ <<< chrome://browser/content/browser.xul - 6} matches "Accept from LOCAL"

[ABE] https://server01.domain.local/test/ Checked in 7
[ABE] Removing DNS cache record for server01.domain.local
[NoScript] http-on-examine-response: https://server01.domain.local/test/, 6883328
[NoScript] OCS: https://server01.domain.local/test/, text/html
[NoScript] https://server01.domain.local/test/ *** Top level document, resetting former untrusted browser info
[NoScript] https://server01.domain.local/test/ *** ORIGIN: chrome://browser/content/browser.xul
[NoScript] https://server01.domain.local/test/ *** Top level document, resetting former untrusted browser info
[NoScript InjectionChecker] test/ - LINES: 1918, 2045, 2000, 823, 161, 2720, 162, 1393, 0
[NoScript InjectionChecker] ///test/ - LINES: 1790, 2054, 2049, 2000, 823, 161, 2720, 162, 1393, 0
[ABE] 128 not pending yet, will check later.
[NoScript] http-on-examine-response: https://server01.domain.local/test/, 6883328
[NoScript] OCS: https://server01.domain.local/test/, text/html

***END FAILED***

This is a successful load:
**SUCCESSFUL**

[NoScript] https://server01.domain.local/test/ *** Top level document, resetting former untrusted browser info
[NoScript] https://server01.domain.local/test/ *** ORIGIN: chrome://browser/content/browser.xul
[NoScript] https://server01.domain.local/test/ *** Top level document, resetting former untrusted browser info
[NoScript InjectionChecker] test/ - LINES: 1918, 2045, 2000, 823, 161, 2720, 162, 1393, 0
[NoScript InjectionChecker] ///test/ - LINES: 1790, 2054, 2049, 2000, 823, 161, 2720, 162, 1393, 0
[ABE] Using cached DNS record for server01.domain.local
[ABE] DNS query on server01.domain.local done, 0ms
[ABE] Checking #66: https://server01.domain.local/test/ from chrome://browser/content/browser.xul - 6881280
[ABE] Site LOCAL
Accept from LOCAL
Deny
[ABE] {GET https://server01.domain.local/test/ <<< chrome://browser/content/browser.xul - 6} matches "Accept from LOCAL"

[ABE] https://server01.domain.local/test/ Checked in 7
[NoScript] http-on-examine-response: https://server01.domain.local/test/, 6881280
[NoScript] OCS: https://server01.domain.local/test/, text/html
[NoScript] https://server01.domain.local/test/ *** Top level document, resetting former untrusted browser info
[NoScript] https://server01.domain.local/test/ *** ORIGIN: chrome://browser/content/browser.xul
[NoScript] https://server01.domain.local/test/ *** Top level document, resetting former untrusted browser info
[NoScript InjectionChecker] test/ - LINES: 1918, 2045, 2000, 823, 161, 2720, 162, 1393, 0
[NoScript InjectionChecker] ///test/ - LINES: 1790, 2054, 2049, 2000, 823, 161, 2720, 162, 1393, 0
[ABE] Using cached DNS record for server01.domain.local
[ABE] DNS query on server01.domain.local done, 0ms
[ABE] Checking #67: https://server01.domain.local/test/ from chrome://browser/content/browser.xul - 6881280
[ABE] Site LOCAL
Accept from LOCAL
Deny
[ABE] {GET https://server01.domain.local/test/ <<< chrome://browser/content/browser.xul - 6} matches "Accept from LOCAL"

[ABE] https://server01.domain.local/test/ Checked in 6
[NoScript] http-on-examine-response: https://server01.domain.local/test/, 6881280
[NoScript] OCS: https://server01.domain.local/test/, text/html
[ABE] Skipping low-level browser request for https://server01.domain.local/favicon.ico
[ABE] Using cached DNS record for server01.domain.local
[ABE] DNS query on server01.domain.local done, 0ms
[ABE] Checking #69: https://server01.domain.local/favicon.i ... tion=16,16 from chrome://browser/content/browser.xul - 5120
[ABE] Site LOCAL
Accept from LOCAL
Deny
[ABE] Error retrieving type of https://server01.domain.local/favicon.i ... tion=16,16: TypeError: PolicyState.extract(...) is null
[ABE] {GET https://server01.domain.local/favicon.i ... tion=16,16 <<< chrome://browser/content/browser.xul - 1} matches "Accept from LOCAL"
[ABE] https://server01.domain.local/favicon.i ... tion=16,16 Checked in 11
[ABE] Skipping low-level browser request for https://server01.domain.local/favicon.ico
[NoScript] http-on-examine-response: https://server01.domain.local/favicon.ico, 0
[NoScript] http-on-examine-response: https://server01.domain.local/favicon.ico, 0
[NoScript] http-on-examine-cached-response: https://server01.domain.local/favicon.i ... tion=16,16, 5120

**END SUCCESSFUL**