Closed
Bug 1114316
Opened 10 years ago
Closed 10 years ago
[e10s] Mixed content indicator does not show up on webmaker.org/privacy-makes
Categories
(Core :: Security, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 764496
People
(Reporter: sjakthol, Unassigned)
Details
Attachments
(2 files)
e10s-mixed-content-no-badge.png
Steps to reproduce:
1. Open web console.
2. Go to https://webmaker.org/privacy-makes
What happens:
- Console contains multiple mixed content warnings.
- Extended Verification indicator is shown in the urlbar.
What should happen:
- Console contains multiple mixed content warnings.
- Mixed content badge is shown in the URL bar.
Some considerations:
- Mixed content is included as background-image urls: <div style="background-image: url(http://...);"/>
- The site uses EV certificate. I was not able to reproduce this locally with Domain Validated certificate so toplevel EV cert might be required to trigger this.
- This only happens in e10s windows, non-e10s works fine.
Attached a screenshot of that shows the state of the UI. I'll try to come up with a more reliable test case than a page that might be fixed at any moment.
|
Reporter | |
Comment 1•10 years ago
|
||
Here's a test document with a similar style="background-image: url(http://...)" declaration as the in webmaker.org/privacy-makes which might trigger this bug.
|
|
Reporter | |
Comment 2•10 years ago
|
||
The previous attachment does not seem to trigger the bug with non-EV certificate (as can be seen by opening it). I don't have a way to test that on a site with EV-certificate. However, if I use the inspector to replace the contents of this page with the test document the issue is triggered.
If someone could upload the mixed-background-image-url.html to site with EV-certificate (e.g. people.mozilla.org) it should provide a way to reproduce this bug reliably.
|
|
Reporter | |
Comment 3•10 years ago
|
||
Further investigation shows that there's differences in the security state flags between e10s and non-e10s windows.
Without e10s the security flags are:
STATE_IS_SECURE: 0
STATE_IS_BROKEN: 1
STATE_IS_INSECURE: 0
STATE_IDENTITY_EV_TOPLEVEL: 0
With e10s the security flags are:
STATE_IS_SECURE: 0
STATE_IS_BROKEN: 1
STATE_IS_INSECURE: 0
STATE_IDENTITY_EV_TOPLEVEL: 1048576
The e10s security state contains STATE_IDENTITY_EV_TOPLEVEL flag which the UI prioritizes over STATE_IS_BROKEN causing the EV indicator to be shown instead of broken badge.[1]
[1] http://dxr.mozilla.org/mozilla-central/source/browser/base/content/browser.js#7006
|
|
Reporter | |
Comment 4•10 years ago
|
||
Found bug 764496, tested the patch there and it fixes this issue.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•