Ubuntu
cockpit package

Login page fails with “This web browser is too old” error with most recent browser versions

Bug #1990623 reported by Martin Pitt
20
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Focal Backports
Confirmed
Undecided
Martin Pitt
cockpit (CentOS)
Unknown
Critical
cockpit (Ubuntu)
Fix Released
High
Unassigned
Jammy
Fix Released
Critical
Martin Pitt
Kinetic
Fix Released
High
Unassigned

Bug Description

[Impact]
With current Firefox and Chromium nightly, the login page shows

    This web browser is too old to run the Web Console (missing selector(:is():where()))

Newer, upcoming browser versions have improved next-level support for :is() and :where() selectors. Cockpit was checking for support an empty usage which passed on browsers in the earlier (current as of writing) implementation. However, browsers have recently updated their parsing support for “Forgiving Selector Parsing” [1], which caused the newer development versions of Firefox, Chrome, and WebKit to fail this check, preventing the browsers from logging into Cockpit.

This check is done to test browser capabilities/features which Cockpit requires. These are meant to prevent broken pages and bug reports for too old browsers (like Internet Explorer). Cockpit's requirements are not exactly cutting edge, we support browsers of the last two years at least.

[Fix]
This was first reported against Firefox itself [2], see that upstream bug for details and a screenshot. But the more fine-grained support for :is()/:where() is intentional, and Cockpit's login page must be adjusted [3]. The fix [4] is minimal, just a two-character patch.

This was done in upstream release 276.1, so this is fixed in current kinetic and jammy-backports. However, the current version 264 in jammy-release (22.04 LTS) is affected by this, and should get this fix.

[Test Plan]
- Download Firefox nightly: https://www.mozilla.org/en-US/firefox/channel/desktop/
- apt install cockpit
- Go to http://localhost:9090
- Login page shows "This web browser is too old to run the Web Console"
- Install the fixed version
- Go to login page again, it should not show the error any more and let you log into Cockpit.

Until this gets accepted as an SRU, you can test the fix from my PPA: https://launchpad.net/~pitti/+archive/ubuntu/fixes/

[Where problems could occur]
The updated selector() checks has the potential to fail on older or less popular browsers. We checked the current releases and nightly versions of Firefox, Chromium, and Webkit. The fix has also been "in the wild" for some weeks now, in Kinetic, jammy-backports, Fedora releases, and CentOS 8/9 stream. We did not get any regression reports for them.

[1] https://developer.mozilla.org/en-US/docs/Web/CSS/:is#forgiving_selector_parsing
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=1790259
[3] https://github.com/cockpit-project/cockpit/issues/17724
[4] https://github.com/cockpit-project/cockpit/pull/17726

See original description
Revision history for this message
In , mpitt (mpitt-redhat-bugs) wrote :

Description of problem:

Firefox Nightly now reports unsupported CSS selectors. Since that fix was implemented, Firefox Nightly users can no longer log in into Cockpit, the login page just shows:

   This web browser is too old to run the Web Console (missing selector(:is():where()))

This is due to a bad CSS capability check in Cockpit's login page.

See this issue for details: https://bugzilla.mozilla.org/show_bug.cgi?id=1790259

Chromium is affected in the same way.

Current *releases* of Firefox and Chromium are fine still, but it is expected that the upcoming versions will contain this change.

Version-Release number of selected component (if applicable):

cockpit-ws-275-1.el9

How reproducible: Always

Steps to Reproduce:
1. Try to log into Cockpit with Firefox nightly

Actual results: Login page shows the error above, login is not possible.

Expected results: Login should work normally.

This was reported upstream in https://github.com/cockpit-project/cockpit/issues/17724 and fixed in https://github.com/cockpit-project/cockpit/pull/17726

Revision history for this message
In , mpitt (mpitt-redhat-bugs) wrote :

Requesting blocker+ for RHEL 9.1. I'll also clone this for 8.7. We will most probably also need to fix this in earlier RHEL releases in Z-stream.

Revision history for this message
In , mpitt (mpitt-redhat-bugs) wrote :

> 1. What is the scope of harm if this BZ is not resolved in this release?

It will not be possible to log into the Web Console any more once the current nightly Firefox/Chrome browsers get released and widely used.

> 2. What are the risks associated with resolving this BZ? Reviewers want to
> know the scope of retesting, potential regressions

For Cockpit itself, changes to the login page's capability checks have the potential to break with older browsers. The current check is just plain wrong, and gets fixed to adhere to the W3C spec. But it needs to be tested with older and current Firefox, Chromium, and other browsers (in particular Safari).

For other RHEL components or RH products there is no regression potential. Cockpit has very few reverse dependencies -- the only known one is Foreman/Satellite, which has a [Web Console] button. But this is set up in a way to not ever show the login page, the user gets right into an authenticated Cockpit session. Specifically, the login page is for human users, it is not an API.

The fix is minimal, targeted, and very straightforward (at least to someone with some CSS background): https://github.com/cockpit-project/cockpit/pull/17726/files

> 3. Provide any other details that meet blocker criteria or should be weighed
> in making a decision (Other releases affected, upstream status, business
> impacts, etc).

The Web Console is a popular and widely announced RHEL feature; e.g. it gets a significant number of feature requests and support cases, is installed by default, and is even advertised in motd. As such, failure to log in would be a fairly embarassing and bad behaviour.

> 4. Provide reasoning why this request is being solved after regular DTD
> cycle. This will help us to assess & improve the exception process.

The change in Firefox nightly that exposed/caused this only happened 6 days ago (https://hg.mozilla.org/integration/autoland/rev/3e0a5d1881e9474173e0455972f35022be5192f6). The Cockpit bug was only found/reported yesterday, and a fix got available today.

Revision history for this message
In , mpitt (mpitt-redhat-bugs) wrote :

We have the fix available, and can upload it to RHEL 9.1/8.7 within a day. I'm not entirely sure wrt. exception vs. blocker -- if the reviewers think that exception+ is more appropriate, that's of course fine for us as well.

Martin Pitt (pitti)
Changed in cockpit (Ubuntu Kinetic):
status: New → Fix Released
importance: Undecided → High
Changed in cockpit (Ubuntu Jammy):
status: New → In Progress
assignee: nobody → Martin Pitt (pitti)
importance: Undecided → High
Changed in focal-backports:
status: New → In Progress
assignee: nobody → Martin Pitt (pitti)
status: In Progress → Confirmed
description: updated
Martin Pitt (pitti)
description: updated
Revision history for this message
Martin Pitt (pitti) wrote :

The fix for this unfortunately looks a little wild. The actual source change in pkg/static/login.js is very small and obvious, that's not what the browser actually consumes. That's the so-called "webpacks" in dist/, which are compiled/bundled and minified JavaScript files.

The Debian package does *not* run webpack during build, as that either needs internet access, or shipping hundreds of NPM modules. So upstream releases contain the pre-built webpacks in dist/. For the fix to be effective, the resulting webpack must be patched as well. That is done in the diff, but as the webpack is essentially just a single huge line, it's very large.

This is the first-ever bug that we patch in a stable release in this minimal fashion. We have very strong integration tests for all distros, so we don't usually have major issues/regressions -- so we haven't developed a more streamlined approach to SRU patches, sorry!

Revision history for this message
Martin Pitt (pitti) wrote :

I downloaded firefox-107.0a1.en-US.linux-x86_64.tar.bz2, unpacked it, ran it with

    HOME=/tmp/h ./firefox

and got the broken login page on a clean 22.04.1 VM. I then built the updated cockpit_264-1ubuntu0.22.04.1.dsc in a clean jammy container, installed the debs into my VM, and confirm that both firefox nightly and firefox release now have a working login page.

I uploaded the fixed package to the queue.

Bug Watch Updater (bug-watch-updater)
Changed in cockpit (CentOS):
importance: Unknown → Critical
status: Unknown → Fix Committed
Martin Pitt (pitti)
description: updated
Revision history for this message
Martin Pitt (pitti) wrote : Re: Login page fails with “This web browser is too old” error with upcoming browsers

Bumping to critical. In the meantime, the firefox change went into a stable release, so this affects a lot more users now. We are getting reports about it already: https://github.com/cockpit-project/cockpit/issues/17773

Changed in cockpit (Ubuntu Jammy):
importance: High → Critical
summary: - Login page fails with “This web browser is too old” error with upcoming
- browsers
+ Login page fails with “This web browser is too old” error with most
+ recent browser versions
Bug Watch Updater (bug-watch-updater)
Changed in cockpit (CentOS):
status: Fix Committed → Unknown
Revision history for this message
Garrett (garrettl) wrote :

Looking forward to fixes for this, as we're getting bug reports on the Cockpit issue tracker now that Firefox has been upgraded (and therefore cannot sign into Cockpit).

Will the (simple 2-character) fix land in Ubuntu repos any time soon?

Without this fix, people can't use Cockpit with Firefox, so it's fairly critical. And soon they won't be able to use Cockpit even with Chrome (and Edge and Brave and other Chromium browsers), when the new version of Chrome/Chromium is released.

Thanks!

Revision history for this message
Martin Pitt (pitti) wrote :

Right, it seems that SRUs haven't been processed since around August 20. https://wiki.ubuntu.com/StableReleaseUpdates does not mention any new process.

Revision history for this message
Timo Aaltonen (tjaalton) wrote : Please test proposed package

Hello Martin, or anyone else affected,

Accepted cockpit into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/cockpit/264-1ubuntu0.22.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in cockpit (Ubuntu Jammy):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-jammy
Revision history for this message
Martin Pitt (pitti) wrote :

I downloaded current Firefox beta (106.0b) and confirm the "too old" bug with current cockpit 264-1. I then updated to cockpit 264-1ubuntu0.22.04.1 from -proposed, force-reloaded the login page, and it works now.

tags: added: verification-done verification-done-jammy
removed: verification-needed verification-needed-jammy
Revision history for this message
Chris Halse Rogers (raof) wrote : Update Released

The verification of the Stable Release Update for cockpit has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cockpit - 264-1ubuntu0.22.04.1

---------------
cockpit (264-1ubuntu0.22.04.1) jammy-proposed; urgency=medium

  * Login page: Use valid selectors when testing for :is() / :where()
    support. This fixes the "This web browser is too old" error message with
    upcoming (nightly) Firefox/Chromium browsers. Patch backported from upstream
    https://github.com/cockpit-project/cockpit/commit/ce351ca7079ba44
    as 0001-login-Use-valid-selectors-when-testing-for-is-where-.patch.
    Add the corresponding generated webpack diff to make this change effective
    without a webpack run (which the Debian package does not do).
    (LP: #1990623)
  * debian/rules: Touch the login page manifest, so that the upstream build
    system does not try to re-run webpack after patching the login page.

 -- Martin Pitt <email address hidden> Fri, 23 Sep 2022 08:12:43 +0200

Changed in cockpit (Ubuntu Jammy):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.