Open
Bug 1365239
Opened 7 years ago
Updated 2 years ago
Why firefox is not reporting active mixed content loaded by <link> tag?
Categories
(Core :: DOM: Security, defect, P3)
Tracking
()
UNCONFIRMED
People
(Reporter: prothoughts.ruby, Unassigned)
Details
(Whiteboard: [domsecurity-backlog3])
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36 Steps to reproduce: 1. Create a test web page with following tag that preloads mixed content, e.g. <link rel="preload" href="http://<Hostname>/other.css" as="style"> 2. The web page should be hosted on "https" site. 3. In Mozila firefox "link" with "rel" attribute set to "preload" value fetch the resource in advance. Actual results: 1. According to mozilla's document, https://developer.mozilla.org/en-US/docs/Web/HTML/Link_types. <link> with "rel" attribute set to "preload" value fetch the resource in advance. 2. Mozila firefox should report the mixed content for this preloaded resouce. 3. But unfortunately Firefox is not reporting the active mixed content. Expected results: Mozilla firefox should report mixed content on test web page for "http://<Hostname>/other.css" resource loaded over http.
Updated•7 years ago
|
Component: Untriaged → DOM: Security
Product: Firefox → Core
Comment 1•7 years ago
|
||
That resource load is triggered by the page, but it's not _in_ the page (yet?) so we don't know if it's going to be used. Yes, this leaks requests (possible unsafe user cookies, like non-blocked images), but doesn't cause the page itself to be unsafe mixed content. see also bug 1242902 for a somewhat related bug with preloads. Kate: what does the mixed-content spec say about this case?
Flags: needinfo?(kmckinley)
Comment 2•7 years ago
|
||
Given that it is active mixed-content, the load should be blocked for mixed-content, unless we have some reason to upgrade it prior to the request. I attempted to create a working reproduction, and was unsuccessful. Even when the URI was https://, it did not load the <link> URI. I suspect this is a bug in the stylesheet loader. Firefox doesn't attempt to load the stylesheet at all, so it doesn't go through the mixed-content blocker. Testing on Chrome shows the stylesheet is properly blocked for mixed content.
Flags: needinfo?(kmckinley)
Comment 3•7 years ago
|
||
I don't think we support the "as" attribute yet, from the proposed Preload spec https://w3c.github.io/preload/ When we do the type should be passed through to the content load and then we can apply the mixed-content blocking rules. Until then it's just mixed-passive content: we can't tell the difference between something OK like an image and something not like a script.
Flags: needinfo?(annevk)
Updated•7 years ago
|
Priority: -- → P3
Whiteboard: [domsecurity-backlog3]
Comment 4•7 years ago
|
||
Your analysis sounds correct. Pretty sure Dragana added as="" attribute support recently so can look into this now.
Flags: needinfo?(annevk) → needinfo?(dd.mozilla)
Comment 5•7 years ago
|
||
We do not support preload yet. I do not believe we fetch anything with <link rel=preload.... Bug 1222633 has not landed yet!
Flags: needinfo?(dd.mozilla)
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•