Closed
Bug 1082536
Opened 11 years ago
Closed 9 years ago
Visiting this non-HTTPS site (www.newsbeast.gr) shows a grey triangle with an exclamation point to the left of the awesomebar
Categories
(Core :: DOM: Security, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: rick3162, Unassigned)
Details
(Whiteboard: [domsecurity-backlog])
Attachments
(1 file)
|
4.01 KB,
image/png
|
Details |
2015-02-17_155246.png
User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0
Build ID: 20141011015303
Steps to reproduce:
Visit the site http://www.newsbeast.gr/
Actual results:
A grey triangle with an exclamation point appears to the left of the awesomebar box.
Expected results:
Since the site is not HTTPS, this should not happen.
|
||
Comment 2•11 years ago
|
||
It loads an https iframe which itself loads http content ( https://cheapis.gr/widget/cheapis300.html?category ), so this makes sense to me, tbh...
Component: Untriaged → DOM: Security
OS: Windows 8.1 → All
Product: Firefox → Core
Hardware: x86_64 → All
Here is a screenshot of what appears in Firefox when clicking the gray warning triangle (Site Identity Button).
Based on https://developer.mozilla.org/en-US/docs/Security/MixedContent
> When a user visits a page served over HTTPS, their connection with the web server
> is encrypted with TLS and hence safeguarded from sniffers
> and man-in-the-middle attacks.
>
> If the HTTPS page includes content retrieved through regular, cleartext HTTP,
> then the connection is only partially encrypted: the unencrypted content
> is accessible to sniffers and can be modified by man-in-the-middle attackers,
> and therefore the connection is not safeguarded anymore.
> When a webpage exhibits this behavior, it is called a mixed content page.
and https://support.mozilla.org/en-US/kb/how-do-i-tell-if-my-connection-is-secure#w_gray-warning-triangle
if I got this right,
"mixed content" is a page where it's URL starts with https://, but includes regular HTTP content.
But, in this case, it's the opposite: http:// URL with some https content (an iframe).
Therefore, I think that it shouldn't be considered as mixed content.
And, just for the record, I've tried IE11, Chrome 40 and Opera 27
and they all display the page as "not encrypted".
|
||
Comment 4•9 years ago
|
||
This on is also quite old. Kamil, Matt can someone have a look what's the state of the testcase and paste relevant console output as well as what's the state of the URL bar? Thanks
Flags: needinfo?(mwobensmith)
Flags: needinfo?(kjozwiak)
|
|
||
Updated•9 years ago
|
Whiteboard: [domsecurity-backlog]
|
||
Updated•9 years ago
|
QA Contact: kjozwiak
|
|
||
Comment 5•9 years ago
|
||
Attempted to reproduce the issue using the following build:
* https://archive.mozilla.org/pub/firefox/releases/33.0/mac/en-US/ (BuildID: 20141011015303)
Went through verification using the following builds:
* https://archive.mozilla.org/pub/firefox/nightly/2016/03/2016-03-18-03-02-36-mozilla-central/
* https://archive.mozilla.org/pub/firefox/nightly/2016/03/2016-03-18-00-40-08-mozilla-aurora/
* https://archive.mozilla.org/pub/firefox/candidates/46.0b2-candidates/build3/mac/en-US/
* https://archive.mozilla.org/pub/firefox/releases/45.0.1/mac/en-US/
Results:
* fx48.0a1 - PASSED
** lock icon with the strikethrough indicating an insecure login and the control center indicating that the connection isn't secure
* fx47.0a2 - PASSED
** lock icon with the strikethrough indicating an insecure login and the control center indicating that the connection isn't secure
* fx46.0b2 - PASSED
** exclamation mark in a circle indicating that the website is being not secure (being loaded via http://)
* fx45.0.1- PASSED
** exclamation mark in a circle indicating that the website is being not secure (being loaded via http://)
Chris, I don't think this is an issue anymore. I couldn't reproduce the original problem using fx33.0 so I'm guessing the website has changed since 2014. I loaded the website several times in fx48.0a1, fx47.0a2, fx46.0b2 and fx45.0.1 and never received a mixed content indicator which seems like the correct behaviour as the website uses http://. On m-c and m-a, we do get the lock icon with the strikethrough indicating an insecure login but never receive a mixed content indicator which is expected.
Flags: needinfo?(mwobensmith)
Flags: needinfo?(mozilla)
Flags: needinfo?(kjozwiak)
|
|
||
Comment 6•9 years ago
|
||
(In reply to Kamil Jozwiak [:kjozwiak] from comment #5)
> Chris, I don't think this is an issue anymore.
Thanks Kamil.
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Flags: needinfo?(mozilla)
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•