piics.net - Page does not load

[webcompat-bot]

URL: https://piics.net/ESigurnost/ffoxseitn/JScriptSigurnostM.htm

Browser / Version: Firefox 104.0 Operating System: Windows 10 Tested Another Browser: Yes Chrome

Problem type: Site is not usable Description: Page not loading correctly Steps to Reproduce: I use Firefox by nearly 100% as my favorite browser since many years and I'm very satisfied with FF. I made this special webpage for data security and encryption. Additionally, this webpage should be used only by my friends, so I used a method of HTML encryption - a secure way, that the website cannot be found by Google or an other search machine. This webpage was designed approx- 1 year ago and worked at this time 100% with Firefox - today I tried to use "my" webpage after a longer time and unfortunately the webpage couldn't used ....I was surprised and then I tried the webpage with (Win10) Google Chrome (version: 104.0.5112.102), Opera (Version:89.0.4447.101) and MS Edge (Version 104.0.1293.63) ....additionally I tried the webpage at my smart phone (SAMSUNG S8plus) with Dolphin, Brave and Samsung browser - ALL these browsers are working 100% - only FF browser has undefinded problems with the webpage ....what happens here? ( ...and sorry for my poor english..)

View the screenshot

Browser Configuration

• None

From webcompat.com with ❤️

[softvision-raul-bucata]

We appreciate your report. I was able to reproduce the issue. The page does not load:

Tested with:

Browser / Version: Firefox Release 104.0 (64-bit)/ Firefox Nightly 106.0a1 (2022-08-23) (64-bit) /Chrome Version Version 104.0.5112.102 (Official Build) (64-bit) Operating System: Windows 10 PRO x64

Notes:

1. Reproducible regardless of the status of ETP.
2. Reproducible on the latest build of Firefox Nightly and Release.
3. Works as expected using Chrome:

Moving this to NeedsDiagnosis for further investigations.

[qa_34/2022]

[wisniewskit]

Thanks for the report! I'm seeing qy6 is undefined errors, where qy6 is defined in some source code that is obfuscated and written out in an eval statement, eval(unescape('\166\141r%20%71\171%37%3D%27%27%3Bq\171%38%3DSt\162i\156%67%2Efr\157%6D\103ha\162C%6Fd\145%28%31%33%2C%31%30%29%3Bfo%72%28i (etc).

This is the un-obfuscated source code:

var qy7 = '';
qy8 = String.fromCharCode(13, 10);
for (i = 0; i < 2128; i++) {
    qy7 += qy8
}
;function qy6() {
    if (!document.all) {
        document.write(qy7)
    }
}
;qy6();
// snip more code

Firefox does run and define it before the console errors are logged. The code before that eval is:

l1l = document.all;
var c6ca8b9f7 = true;
ll1 = document.layers;
lll = window.sidebar;
c6ca8b9f7 = (!(l1l && ll1) && !(!l1l && !ll1 && !lll));
l11 = navigator.userAgent.toLowerCase();

function lI1(l1I) {
    return l11.indexOf(l1I) > 0 ? true : false
};
lII = lI1('kht') | lI1('per');
c6ca8b9f7 |= lII;

Ah, it's checking the navigator.userAgent string for "kht". Yeah, if I have Firefox use a Chrome useragent string or just tack a " KHTML" to the Firefox UA string, then the page starts working in Firefox too. This code is copy-pasted into the two subframes, and if each of them detects "KHTML" in the user-agent string, they work.

Because of the obfuscation it took a while to figure out where c6ca8b9f7 is read and used, but it's in this code:

if (c6ca8b9f7) {
    document.write(lO)
};

That isn't run in the main frame, but in the two subframes which are not loading (causing the breakage in Firefox). It is writing the actual code that defines qy6 in each subframe (basically a copy-paste of the first code-block I showed above). Why does it only write that for Chrome or Opera? Your guess is as good as mine, unfortunately. The code is just too obfuscated to really get many clues from it.

I would assume it was to work around some kind of past interop issue with frames. But if you're able to fix the code, the easiest thing to do would be to change the three frame's HTML files so that the source code includes a test for Firefox as well as KHTML and Opera:

lII = lI1('kht') | lI1('per') | lI1('fox');

Beyond that, I'm not sure what we can do unless someone can get us a clue for why the code is not running the script that it needs on Firefox.

[wisniewskit]

Ah, I found the change in Firefox which caused this to break; in Firefox 91 we removed support for a non-standard Javacsript API, window.sidebar. That appears to be how this code was detecting Firefox, in this line:

lll = window.sidebar;

I'm not sure why the code was detecting Firefox that way and other browsers in a different way, but that's the root cause of the breakage. The fix I suggested above would be the way to go here, it seems.

[giovanni4517]

Hi, today I made an update of Firefox to version 105.0 (64bit), unfortuntely the problem isn't solved...is there a chance of a solution in the future?

[wisniewskit]

Yes, I'm hoping to get a work-around for this site into Firefox 107, but unfortunately it probably won't make it into 106.

[wisniewskit]

@giovanni4517, also, in the meantime, if you still have access to make modifications to your site, I noted a way to fix it sooner in my comments above. Do you think that's feasible?

[giovanni4517]

This is not possible, I used and still use the HTML code encryption tool "HTML Guardian Professional" for my specific homepage applications...okay, so I have to be patient, but I definitely want to keep Firefox browser as my favorite browser

[wisniewskit]

@giovanni4517, just to be clear, you do not even have access to the "encrypted" files so I can help you alter them slightly? Because we don't keep webcompat work-arounds for specific sites around forever, so even if I get the work-around into Firefox 107, it will only buy us some time.

[giovanni4517]

Hi Thomas! Today I made a Firefox update (version 108.0.2), but unfortunately my problem is still unsolved. For comparison, I tested the current Android browsers with the mobile phone SAMSUNG Galaxy S21 FE (OS: Android 13)

SAMSUNG internet browser 19.0.6.3, Dolphin Browser V12.2.9, Brave Browser 1.46.146

and at my notebook with OS Win10

Google Chrome 108.0.5359.125 (64bit), Opera 94.0.4606.54, Microsoft Edge 108.0.1462.76 and all of these browsers work fantastically!

Is there any hope that my favorite browser, Firefox, will be able to display this specific webpage correctly again? Thank you very much, best regards from Vienna/Austria Hannes

[wisniewskit]

@giovanni4517, as I mentioned, the problem is really that your site is intentionally doing something that breaks it on Firefox (not your intention, but it's what's happening). The best real solution for us here would be for you to gain access to the webserver, and alter the files to fix this.

That means changing the original files and re-running them through HTML Guardian Professional. Or if you've lost the originals, it means altering the final versions that HGP produced and which are still on your web server (the ones the browser is loading right now). I'll be happy to join you on a chat app or video call if you'd like help figuring that out. In the meantime, we can still temporarily add a hack to Firefox for your site to give you some more time, but fixing it properly is the right way to go here. (I'm sure you can imagine how unrealistic it would be for us to hack around every website issue in Firefox itself, in perpetuity).

So please do let me know whether you have access to your web server to alter the files as-is, or the original files and the ability to re-run them through HGP again after changing them?

[giovanni4517]

Hi Thomas! I have now packed all files (HTML + HTML encrypted) into a zip file and this zip file is on my web server ready for download. How can I send you the URL?

[wisniewskit]

@giovanni4517 Depending on your trust levels, feel free to email me the link at twisniewski@mozilla.com. If you'd like to chat with me more directly, feel free to DM me on Mozilla's chat server: https://wiki.mozilla.org/Matrix#New_to_Matrix.2C_new_to_Mozilla.3F

Or another option could be to host the files on a private GitHub repository and only share it with me (as a collabator). Then I can suggest a pull request so you can see what changes I've made more easily, and once you're done with it you can delete that private repository.

[wisniewskit]

This should now be fixed. Thank you for working with me to fix this, @giovanni4517 !