Closed Bug 1114316 Opened 9 years ago Closed 9 years ago

[e10s] Mixed content indicator does not show up on webmaker.org/privacy-makes

Categories

(Core :: Security, defect)

x86_64
Linux
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 764496

People

(Reporter: sjakthol, Unassigned)

Details

Attachments

(2 files)

Steps to reproduce:
1. Open web console.
2. Go to https://webmaker.org/privacy-makes

What happens:
- Console contains multiple mixed content warnings.
- Extended Verification indicator is shown in the urlbar.

What should happen:
- Console contains multiple mixed content warnings.
- Mixed content badge is shown in the URL bar.

Some considerations:
- Mixed content is included as background-image urls: <div style="background-image: url(http://...);"/>
- The site uses EV certificate. I was not able to reproduce this locally with Domain Validated certificate so toplevel EV cert might be required to trigger this.
- This only happens in e10s windows, non-e10s works fine.

Attached a screenshot of that shows the state of the UI. I'll try to come up with a more reliable test case than a page that might be fixed at any moment.
Here's a test document with a similar style="background-image: url(http://...)" declaration as the in webmaker.org/privacy-makes which might trigger this bug.
The previous attachment does not seem to trigger the bug with non-EV certificate (as can be seen by opening it). I don't have a way to test that on a site with EV-certificate. However, if I use the inspector to replace the contents of this page with the test document the issue is triggered.

If someone could upload the mixed-background-image-url.html to site with EV-certificate (e.g. people.mozilla.org) it should provide a way to reproduce this bug reliably.
Further investigation shows that there's differences in the security state flags between e10s and non-e10s windows.

Without e10s the security flags are:
STATE_IS_SECURE: 0
STATE_IS_BROKEN: 1
STATE_IS_INSECURE: 0
STATE_IDENTITY_EV_TOPLEVEL: 0

With e10s the security flags are:
STATE_IS_SECURE: 0
STATE_IS_BROKEN: 1
STATE_IS_INSECURE: 0
STATE_IDENTITY_EV_TOPLEVEL: 1048576

The e10s security state contains STATE_IDENTITY_EV_TOPLEVEL flag which the UI prioritizes over STATE_IS_BROKEN causing the EV indicator to be shown instead of broken badge.[1]

[1] http://dxr.mozilla.org/mozilla-central/source/browser/base/content/browser.js#7006
Found bug 764496, tested the patch there and it fixes this issue.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: