Closed Bug 912817 Opened 11 years ago Closed 11 years ago

Mixed display-only pages showing the wrong text

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Version:
26 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED
Milestone:
Firefox 26
Tracking Flags:
Tracking Status
firefox26 + verified

People

(Reporter: tanvi, Assigned: tanvi)

References

(Blocks 1 open bug,
URL
)

Details

Attachments

(2 files, 1 obsolete file)

MixedDisplayWrongMessage.png
148.10 KB, image/png
Details
Add a new class for Mixed Display Loaded with Mixed Active Blocked v2
3.89 KB, patch
jaws
: review+
Details | Diff | Splinter Review 
This is a regression from bug 865352.

1) Go to https://people.mozilla.com/~tvyas/mixeddisplay.html
2) You see a grey triangle as you should (from bug 865352).  And a message in the webconsole indicating that mixed display content was loaded:
Loading mixed (insecure) display content on a secure page "http://cisforcookie.org/CookieMonster.jpg" @ https://people.mozilla.com/~tvyas/mixeddisplay.html
3) Click on the grey triangle and you see the following message:
Interactive content (such as script) that isn't encrypted has been blocked for your protection.

What you should see is the following:
The connection to this website is not fully secure because it contains unencrypted elements (such as images).

The wrong identity string is being used - http://mxr.mozilla.org/mozilla-central/source/browser/locales/en-US/chrome/browser/browser.properties#261

If I remove the "mixedDisplayContent" class from this line of code, then I get the right message:
https://mxr.mozilla.org/mozilla-central/source/browser/base/content/browser.js#6366

This makes no sense, since the mixedDisplayContent class was added as part of bug 865352 and is only tied to the icon, not the text.  The text is determined by the encryptionLabel defined here:
https://mxr.mozilla.org/mozilla-central/source/browser/base/content/browser.js#6375

Aside from not making sense, I can't just remove the mixedDisplayContent text from that line because then pages with mixed display loaded and mixed active blocked will show the grey globe instead of the grey triangle (ex: https://people.mozilla.com/~tvyas/mixedboth.html).

Will dig into this more tomorrow.  But it needs to be fixed in Firefox 26, or else we will have to revert bug 865352.

+++ This bug was initially created as a clone of Bug #909920 +++
As seen here https://mxr.mozilla.org/mozilla-central/source/browser/base/content/browser.js#6389 IDENTITY_MODE_MIXED_DISPLAY_LOADED is associated to this string:
identity.mixed_display_loaded=The connection to this website is not fully secure because it contains unencrypted elements (such as images).

And as seen here https://mxr.mozilla.org/mozilla-central/source/browser/base/content/browser.js#6393 IDENTITY_MODE_MIXED_DISPLAY_LOADED_ACTIVE_BLOCKED is associated to this string:
identity.mixed_display_loaded_active_blocked=Interactive content (such as script) that isn't encrypted has been blocked for your protection.

The problem in this bug seems to occur when both IDENTITY_MODE_MIXED_DISPLAY_LOADED and IDENTITY_MODE_MIXED_DISPLAY_LOADED_ACTIVE_BLOCKED have the same css modes:

IDENTITY_MODE_MIXED_DISPLAY_LOADED                   : "unknownIdentity mixedContent mixedDisplayContent",  
IDENTITY_MODE_MIXED_DISPLAY_LOADED_ACTIVE_BLOCKED    : "unknownIdentity mixedContent mixedDisplayContent", 

When they both have the same css modes, they both get associated with this string:
identity.mixed_display_loaded_active_blocked=Interactive content (such as script) that isn't encrypted has been blocked for your protection.

If I remove "mixedDisplayContent" from both of them, then we get the same result.

The only way to get them to associate to their correct strings is if they css modes are not exactly the same.  I am unclear on why this is the case, but I have created a patch that solves the problem by creating a new css class mixedDisplayContent2 that is identical to mixedDisplayContent, but allows us to make the css modes different for each of these.

Jared, your thoughts on this would be greatly appreciated :)  Thanks!
Assignee: nobody → tanvi
Status: NEW → ASSIGNED
Attachment #801730 - Flags: review?(jaws)
Comment on attachment 801730 [details] [diff] [review]
Add a new class for Mixed Display Loaded with Mixed Active Blocked

Review of attachment 801730 [details] [diff] [review]:
-----------------------------------------------------------------

::: browser/base/content/browser.js
@@ +6289,5 @@
>    IDENTITY_MODE_DOMAIN_VERIFIED                        : "verifiedDomain",   // Minimal SSL CA-signed domain verification
>    IDENTITY_MODE_UNKNOWN                                : "unknownIdentity",  // No trusted identity information
>    IDENTITY_MODE_MIXED_DISPLAY_LOADED                   : "unknownIdentity mixedContent mixedDisplayContent",  // SSL with unauthenticated display content
>    IDENTITY_MODE_MIXED_ACTIVE_LOADED                    : "unknownIdentity mixedContent mixedActiveContent",  // SSL with unauthenticated active (and perhaps also display) content
> +  IDENTITY_MODE_MIXED_DISPLAY_LOADED_ACTIVE_BLOCKED    : "unknownIdentity mixedContent mixedDisplayContent2",  // SSL with unauthenticated display content; unauthenticated active content is blocked.

mixedDisplayContent2 doesn't explain why it is different than mixedDisplayContent. This bug is happening because the hash for the _encryptionLabel strings are the same, so changing any of the characters in this would fix the issue.

We should instead introduce another class here that explains that mixed display content has been loaded.

IDENTITY_MODE_MIXED_DISPLAY_LOADED_ACTIVE_BLOCKED: "unknownIdentity mixedContent mixedDisplayContent mixedDisplayContentLoaded",

::: browser/themes/osx/browser.css
@@ +1403,5 @@
>    .mixedDisplayContent > #page-proxy-favicon[pageproxystate="valid"] {
>      list-style-image: url(chrome://browser/skin/identity-icons-https-mixed-display@2x.png);
>    }
>  
> +  .mixedDisplayContent2 > #page-proxy-favicon[pageproxystate="valid"] {

Then these can use .mixedDisplayContentLoaded > ...
Attachment #801730 - Flags: review?(jaws) → feedback+
The two cases here are
1) mixed display content loaded on a page that has no mixed active content (either loaded or blocked)
2) mixed display content loaded on a page that has mixed active content blocked.

For 1), we can continue to use the mixedDisplayContent class.  For 2), I created a mixedDisplayContentLoadedActiveBlocked class.

Thanks Jared!
Attachment #801730 - Attachment is obsolete: true
Attachment #801852 - Flags: review?(jaws)
Attachment #801852 - Flags: review?(jaws) → review+
Thanks Jared!

Accidentally pushed and quickly backed out the wrong patch: https://hg.mozilla.org/integration/mozilla-inbound/rev/690752e6d8a3
Backout: https://hg.mozilla.org/integration/mozilla-inbound/rev/4a6ac4c0ab58

And then pushed to inbound again with the correct patch: https://hg.mozilla.org/integration/mozilla-inbound/rev/e9a2e269aa9e
https://hg.mozilla.org/mozilla-central/rev/e9a2e269aa9e
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → Firefox 26
status-firefox26: affectedfixed
tracking-firefox26: ?+
OS: Mac OS X → All
Hardware: x86 → All
I confirm the fix is verified on Latest Nightly 26 (Windows 7, Ubuntu 13.04 and Mac OS 10.7.5)
Status: RESOLVED → VERIFIED
status-firefox26: fixedverified
QA Contact: mihai.morar
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: