Floccus: HTTP redirect detection breaks connection in some (corporate) networks

Created on 8 Apr 2021  路  7Comments  路  Source: floccusaddon/floccus

Describe the bug

I want to use one of my NC bookmark app server folders on my company PC. Since a few weeks syncing is not possible any more with the error: Syncing failed with E033: Redirect detected.
( I guess: https://github.com/floccusaddon/floccus/commit/6946fc96c13b108e42af66474d6f1981398416b8)

I'm aware that there is a zscaler proxy which fiddles with the connection. Sync outside of the company network is as expected.

I was not sure whether to label it a bug or feature request. But since it broke a working setup I went with bug.

Expected behavior

For this it would be good to have an option, which is default on, to deactivate this redirect check.

Desktop

  • OS: Windows 10
  • Browser chrome, firefox, brave
  • Floccus version: 4.6.1
  • Floccus sync method: nextcloud bookmarks

Server

  • OS: [Raspberry Pi OS buster]
  • Nextcloud version: [21.0]
  • Bookmarks app version: [4.1.0]

Debug log

  • [x] Debug log provided
2021-04-08T09:10:50.208Z Starting sync process for account user@domain
2021-04-08T09:10:50.212Z Using "merge default" strategy (no cache available)
2021-04-08T09:10:50.221Z Overriding title of built-in node 1 Bookmarks => Bookmarks Bar
2021-04-08T09:10:50.543Z Syncing failed with E033: Redirect detected. Please install the Bookmarks app on your nextcloud and make sure the nextcloud URL you entered doesn't redirect to a different location.
bug

All 7 comments

Does the nextcloud URL you entered redirect to a different location? If so, then syncing is unlikely to work reliably. Make sure to enter the redirect target in the floccus settings instead.

Does the nextcloud URL you entered redirect to a different location?

No, the URL stays the same. I am logged in within the same browser to that account on the NC webui. I'm also doing CalDav connections to the same instance from this PC only floccus stopped connecting.
One obvious difference is that the SSL certificate issuer is different. It's from this zscaler proxy system my company uses. That's why I suspected it to be the problem.

My setup hasn't changed when floccus stopped connecting with that error.
_Company PC -https(company cert)-> Company Proxy -https(letsencrypt)-> Home Nginx SSL proxy -(http)-> nginx NC server_

Do you know what exactly is detected as redirect by that function.

According to the spec only 301 or 302 responses should be detected as a redirect.

So, from what I can see at the moment, either your proxy chain somehow returns a 30{1,2} at some point, or your browser is doing something funky.

You could try intercepting network traffic as follows:

Firefox

  • Go to about:debugging -> This firefox
  • click on debug button next to floccus entry
  • go to the network tab in the inspector tab
  • trigger a sync by clicking on sync now for the account of your choice.
  • check the failing network requests

Chrome

  • Go to chrome://extensions
  • enable Developer mode
  • click on dist/html/background.html button in floccus' entry next to "Inspect views: "
  • go to the network tab in the inspector window
  • trigger a sync by clicking on sync now for the account of your choice
  • check the failing network requests

From Firefox (and Chrome) I get a 307 from the company proxy:

Request:

GET /nc/index.php/apps/bookmarks/public/rest/v2/folder/-1/hash HTTP/1.1
Host: mydomain.eu
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0
Accept: /
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate, br
Authorization: Basic **
Connection: keep-alive

Response:

HTTP/1.1 307 Temporary Redirect
Content-Length: 0
Access-Control-Allow-Origin: *
Location: https://gateway.zscaler.net:443/auD?origurl=https%3A%2F%2Fmydomain%2eeu%2fnc%2findex%2ephp%2fapps%2fbookmarks%2fpublic%2frest%2fv2%2ffolder%2f%2d1%2fhash&wexps=1&_ordtok=qk43WVqQF3mkNmPNq2VDq7W0J2
Content-Type: text/html
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTR STP IND DEM"
Set-Cookie: ssm_au_d=1;SameSite=None;Secure;path=/;domain=mydomain.eu

I get a 307 from the company proxy

Ah. I didn't consider 307 and 308. I'll make sure those are given a pass.

Sadly, it doesn't seem to be possible to distinguish between different redirect status codes :/

So, the options are now

a) prohibit all redirects, breaking 307 and 308
b) allow all redirects, giving a confusing error message for people that unknowingly have a 301/302 in their URL (POSTing to a 301 URL will redirect to a GET, breaking sync)

Update: I've opened an issue for this: https://github.com/whatwg/fetch/issues/1212

It's hard for me to tell how special my case is for your user base. I would be out of options when you choose a).

I don't know how much effort it would be, but

c) to create a GUI (or even more hidden) option: Allow redirects

By default you would block them.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

enoch85 picture enoch85  路  7Comments

gerroon picture gerroon  路  4Comments

TRSx80 picture TRSx80  路  4Comments

belgotux picture belgotux  路  6Comments

aliher1911 picture aliher1911  路  6Comments