Gerry Hickman wrote:
I have a SiteCom router with an embedded web server. For many years I
was able to log in from SeaMonkey by typing http://10.0.0.1/ and then
the user name and password. This still works in older versions of SM and
FF, but not in SM 2.46
I believe the issue is related to a new HTTP header being sent by SM 2.46
Upgrade-Insecure-Requests: 1
I set up a raw HTTP test on a linux VM (without using a browser) and
tested both with and without this header.
Request with header : Authentication FAILS
Request without header : Authentication WORKS
It's quite strange, as I don't see how the router can even know about
this header as it's too old. I also noticed something even more odd, if
I change the header to something like
BlahBlahBalh: 1
the authentication also fails, but if I use
BlahBlahBalh: one
everything starts working
Is it possible to disable the 'Upgrade-Insecure-Requests' header in
SeaMonkey?
I found this same behavior with my Linksys/Cisco WRT120N home router
that I bought in 2010. Since SeaMonkey is based pretty much on Firefox
code, I checked it there with the same result. So I decided to file a
bug report on Firefox because any fix there would/should migrate to the
SeaMonkey code.
See https://bugzilla.mozilla.org/show_bug.cgi?id=1330795
The Comment story started 4 months ago and has recently concluded that
my router is the bad boy. It has been at end-of-life status according
to Linksys/Cisco for about 6 years. The only workaround I have is, as
you have found, to use the older version of SM, or another browser such
as Google Chrome, MS Edge or Pale Moon - that apparently do not (yet)
send the Upgrade-Insecure-Header in the request.
This header mechanism is legitimate W3C:
https://w3c.github.io/webappsec-upgrade-insecure-requests/
I looks like we got to learn to live with it.
How old is your SiteCom router? Have you looked into available firmware
upgrades for it?
_______________________________________________
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey
