Bug 2126038

Summary: Login fails with "This web browser is too old" with upcoming Firefox and Chromium browsers [rhel-9.1.]
Product: Red Hat Enterprise Linux 9 Reporter: Martin Pitt <mpitt>
Component: cockpitAssignee: Martin Pitt <mpitt>
Status: CLOSED ERRATA QA Contact: Jan Ščotka <jscotka>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 9.1CC: mmarusak, pvlasin, redhat-bugzilla
Target Milestone: rcKeywords: Regression, Triaged, ZStream
Target Release: 9.1Flags: pm-rhel: mirror+
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: cockpit-276.1-1.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 2126044 2127133 2129056 (view as bug list) Environment:
Last Closed: 2022-11-15 11:16:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2126044, 2127133, 2129056    
Deadline: 2022-09-27   

Description Martin Pitt 2022-09-12 08:29:39 UTC 
Description of problem:

Firefox Nightly now reports unsupported CSS selectors. Since that fix was implemented, Firefox Nightly users can no longer log in into Cockpit, the login page just shows:

   This web browser is too old to run the Web Console (missing selector(:is():where()))

This is due to a bad CSS capability check in Cockpit's login page.

See this issue for details: https://bugzilla.mozilla.org/show_bug.cgi?id=1790259

Chromium is affected in the same way.

Current *releases* of Firefox and Chromium are fine still, but it is expected that the upcoming versions will contain this change.

Version-Release number of selected component (if applicable):

cockpit-ws-275-1.el9

How reproducible: Always


Steps to Reproduce:
1. Try to log into Cockpit with Firefox nightly

Actual results: Login page shows the error above, login is not possible.

Expected results: Login should work normally.

This was reported upstream in https://github.com/cockpit-project/cockpit/issues/17724 and fixed in https://github.com/cockpit-project/cockpit/pull/17726
Comment 1 Martin Pitt 2022-09-12 08:31:26 UTC 
Requesting blocker+ for RHEL 9.1. I'll also clone this for 8.7. We will most probably also need to fix this in earlier RHEL releases in Z-stream.
Comment 3 Martin Pitt 2022-09-12 08:42:22 UTC 
> 1. What is the scope of harm if this BZ is not resolved in this release? 

It will not be possible to log into the Web Console any more once the current nightly Firefox/Chrome browsers get released and widely used.

> 2. What are the risks associated with resolving this BZ?  Reviewers want to
> know the scope of retesting, potential regressions

For Cockpit itself, changes to the login page's capability checks have the potential to break with older browsers. The current check is just plain wrong, and gets fixed to adhere to the W3C spec. But it needs to be tested with older and current Firefox, Chromium, and other browsers (in particular Safari).

For other RHEL components or RH products there is no regression potential. Cockpit has very few reverse dependencies -- the only known one is Foreman/Satellite, which has a [Web Console] button. But this is set up in a way to not ever show the login page, the user gets right into an authenticated Cockpit session. Specifically, the login page is for human users, it is not an API.

The fix is minimal, targeted, and very straightforward (at least to someone with some CSS background): https://github.com/cockpit-project/cockpit/pull/17726/files

> 3. Provide any other details that meet blocker criteria or should be weighed
> in making a decision (Other releases affected, upstream status, business
> impacts, etc).

The Web Console is a popular and widely announced RHEL feature; e.g. it gets a significant number of feature requests and support cases, is installed by default, and is even advertised in motd. As such, failure to log in would be a fairly embarassing and bad behaviour.

> 4. Provide reasoning why this request is being solved after regular DTD
> cycle. This will help us to assess & improve the exception process.

The change in Firefox nightly that exposed/caused this only happened 6 days ago (https://hg.mozilla.org/integration/autoland/rev/3e0a5d1881e9474173e0455972f35022be5192f6). The Cockpit bug was only found/reported yesterday, and a fix got available today.
Comment 4 Martin Pitt 2022-09-12 08:45:49 UTC 
We have the fix available, and can upload it to RHEL 9.1/8.7 within a day. I'm not entirely sure wrt. exception vs. blocker -- if the reviewers think that exception+ is more appropriate, that's of course fine for us as well.
Comment 13 errata-xmlrpc 2022-11-15 11:16:26 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (cockpit bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:8314