616712 - Repeated warning about visiting encrypted page containing unencrypted information

Status: VERIFIED FIXED

(Firefox for Android Graveyard :: General, defect)

Description

[(no longer active)]

Every time I visit Google Reader on my phone using Fennec, I get this Security Warning:

You have requested an encrypted page that contains some unencrypted information.  Information that you see or enter on this page could easily be read by a third party.

[x] Alert me whenever I'm about to view an encrypted page that contains some unencrypted information.

When I uncheck the above box and press OK, I expect not to see this message next time.  But the message reappears no matter how many times I have seen this dialog.

Comment 1

[Doug Turner (:dougt)]

this alert happens from content.  the result of the the checkbox is given back to content, and it tries to set a perferences which fails (because you can't write out preferences from the child process)

Options:

1) Special case this preferences

2) Just removing this warning from Fennec (by adding the correct pref to mobile.js)


I am leaning toward (2).

Comment 2

[(no longer active)]

(In reply to comment #1)
> this alert happens from content.  the result of the the checkbox is given back
> to content, and it tries to set a perferences which fails (because you can't
> write out preferences from the child process)
> 
> Options:
> 
> 1) Special case this preferences
> 
> 2) Just removing this warning from Fennec (by adding the correct pref to
> mobile.js)
> 
> I am leaning toward (2).

Is this the only similar alert?

Comment 3

[Matt Brubeck (:mbrubeck)]

Here's a complete list of similar prefs.  The only ones that are enabled by default are this one (viewing_mixed) and "You have requested a page that uses low-grade encryption" (entering_weak):

> 76 pref("security.warn_entering_secure",    false);
> 77 pref("security.warn_entering_weak",      true);
> 78 pref("security.warn_leaving_secure",     false);
> 79 pref("security.warn_viewing_mixed",      true);
> 80 pref("security.warn_submit_insecure",    false);

http://mxr.mozilla.org/mozilla-central/source/netwerk/base/public/security-prefs.js

Comment 4

[Matt Brubeck (:mbrubeck)]

In addition to doug's options, we could remote nsISecurityWarningDialogs so that the dialog is displayed by the parent process, or override it to provide a mobile-specific UI.

Whatever else we do, I would suggest changing the Larry UI to use a red background and provide information when on a weak or mixed SSL page.

Comment 5

[Doug Turner (:dougt)]

right, remote nsISecurityWarningDialogs.  quite easy too.

Comment 6

[Doug Turner (:dougt)]

spoke too soon.  not that easy. that interface requester fans out a bit.

Comment 7

[Doug Turner (:dougt)]

spoke to jesse, dveditz, and lucas.

i think we all agreed that this dialog was not very important as it is currently implemented.  jesse suggested it had lots of false positives.  It also looks like it is only ever displayed one time -- not per url.  Lucas mentioned there are bugs to improve this -- for example, XHR loads of http content that get eval'ed are not monitored.

For this bug, we believe it is fine to set the security.warn_viewing_mixed pref to false in Fennec.

Comment 8

[Matt Brubeck (:mbrubeck)]

Attachment: patch

Comment 9

[Doug Turner (:dougt)]

Comment on attachment 496269 [details] [diff] [review]
patch

// Broken in e10s

to

// Warning is disabled.  See Bug 616712.

Comment 10

[Matt Brubeck (:mbrubeck)]

Pushed with comment change: http://hg.mozilla.org/mobile-browser/rev/32803bacba02

Comment 11

[Anna (Waverley)]

Ehsan Akhgari, can you provide the Build Id for this reported bug and the device? It seems to be verified fixed now, but I also have to be sure I could reproduce this issue on my device

Comment 12

[Kevin Brosnan [Ex-Mozilla]]

Verified the pref change - Mozilla/5.0 (Android; Linux armv7l; rv:2.1.1) Gecko/20110415 Firefox/4.0.2pre Fennec/4.0.1 ID:20110415172201