1066103 - Mixed Active Content Security is excessive and blocks legitimate use cases

Status: RESOLVED INCOMPLETE

(Core :: DOM: Security, defect)

Description

[Frédéric van der Essen]

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36

Steps to reproduce:

Hi we are developping an Open Source Point of Sale web application which needs to access devices on the local network via HTTP XmlHttpRequests. Those requests are blocked by the Mixed Active Content Security if we serve our web application over HTTPS. As those requests are being sent to raw ip addresses, usage of HTTPS is not possible. 

While I understand the need for the security measure, I believe that in this case it is counter productive. The loaded code comes from a trusted source, the HTTP requests are expected,  and we can deploy our own security measures to avoid eavesdropping or data manipulation.

And without access to the devices, our web applications is completely useless, so we have no choice but to disable this security, this leaves us three choices, none of which are good:

1) Not support Firefox and tell our users to use something else
2) Tell them to disable mixed active content security via about:config 
3) Serve our web application over plain HTTP.

I would also like to add that absolutely nobody saw the little shield icon indicating that the requests have been blocked, there should be a better warning.

Comment 1

[Dana Keeler (she/her) (use needinfo) [:keeler] (on leave)]

(In reply to Frédéric van der Essen from comment #0)
> As those requests are being sent to raw ip
> addresses, usage of HTTPS is not possible. 

Why not? Certificates can be issued with IP addresses in the subject alternative names extension.

Comment 2

[Christoph Kerschbaumer [:ckerschb]]

This doens't seem like a Firefox bug and there hasn't been any progress within more than one year. Closing this one as INCOMPLETE.