Closed Bug 1063390 Opened 10 years ago Closed 3 years ago

MIxed content notification disappears from one of Mozilla test pages (http://goo.gl/1VKLbp) .

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Version:
34 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: VarCat, Unassigned)

References

Details

Environment: FF 34 Build Id: 20140831030206 OS: Win 7 x64, Ubuntu 13.04 x64, Mac Os X 10.9.4 STR: 1. Go to https://people.mozilla.org/~mkelly/mixed_test.html 2. Disable protection from the mixed content notification. 3. Enable protection from the mixed content notification. Issue: The mixed content notification disappears.
Flags: qe-verify?
Flags: firefox-backlog+
Against current beta (33), if I click "Keep blocking" when the doorhanger first shows up, the icon also disappears immediately. Isn't this expected? (Philipp, please feel free to redirect this needinfo to whoever knows the UX design for this dialog)
Flags: needinfo?(philipp)
This issue is related with the new implementation of the mixed content shield notification that implementation did not reach FF 33.
Blocks: 1043803
It is expected in 33, but shouldn't happen in 34 (Aurora) anymore.
It is odd that this problem shows up for this mixed content iframe test page: https://people.mozilla.org/~mkelly/mixed_test.html But not this one: https://people.mozilla.org/~tvyas/mixediframe.html Or on a mixed script page: https://people.mozilla.com/~tvyas/mixedcontent.html I am looking into the issue.
The issue with this testcase https://people.mozilla.org/~mkelly/mixed_test.html is that it is trying to iframe http://cs.fit.edu page that has x-frame-options: SAMEORIGIN set. Hence, the x-frame-options code is blocking the load. (Using the same test case with other urls doesn't present the problem described in this bug.) Open the error console and load the test case. The first time around, the request to http://cs.fit.edu never goes out (it is blocked by Mixed Content Blocker) and hence we don't know the pages x-frame-options policy. Disable protection on the page and the webconsole will show that you are loading mixed content. After the Get request for cs.fit.edu, you see a JS error - "Load denied by X-Frame-Options: http://cs.fit.edu/ does not permit cross-origin framing." Then when you re-enable protection, there are no messages in the error console and the content doesn't load. Which code is blocking the load in this case? Mixed Content Blocker or X-Frame-Options? How come neither the the x-frame-options js error or the Mixed Content Blocker error show up? I suspect that in this case the X-Frame-Options code is at play and not the Mixed Content Blocker. Here's why - Open the console and go to https://people.mozilla.org/~tvyas/mixedcontent.html. You will see a message about blocked content. Refresh the page and you the message comes up again. Now open the console and go to http://people.mozilla.org/~mkelly/mixed_test.html (this is the HTTP version of the testcase, so Mixed Content Blocker isn't in play). The console shows the x-frame-options js error. Refresh the page; the error no longer shows up.

Site no longer active

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.