Full HTTPS to HTTP redirects are considered mixed content

RESOLVED DUPLICATE of bug 1105470

Status

()

RESOLVED DUPLICATE of bug 1105470
4 years ago
3 years ago

People

(Reporter: ohad188, Unassigned)

Tracking

37 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

4 years ago
User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.90 Safari/537.36

Steps to reproduce:

Visit a site that redirects (302) from HTTPS to HTTP. Most sites with Steam login exhibit this behavior as a Steam OpenID contains no private information and so there's no need to secure it once authentication is complete. For example: http://www.valvesoftware.com/linuxsurvey.php?action=login (you may need to log in again once the cookie is set to reproduce it).

A similar issue happens with https://slashdot.org/ which immediately redirects to https://slashdot.org/ though a different warning may be appropriate there (see https://bugzilla.mozilla.org/show_bug.cgi?id=952390). It is also more difficult to reproduce since FF reloads the page quickly after the mixed content warnings are displayed (due to the character encoding declaration not being present in the first 1024 bytes of the HTML).



Actual results:

Console shows "Mixed Content" warnings. Also happens in the nightly build with a new profile.


Expected results:

No "Mixed Content" warning should have been displayed. At no point in time is there any mixed content - there's secure content, and then there's a redirect, and then there's unsecure content. IE and Chrome do not present a warning in such circumstances.
Hello Ohad,

Do you still encounter this bug on Firefox 42.0 or Nightly 46.0a1?

Also if you can still replicate, can you provide me with more precise steps so I can attempt to replicate.

Version 	46.0a1
Build ID 	20151215030221
User Agent 	Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:46.0) Gecko/20100101 Firefox/46.0

Thank you,

Justin
Flags: needinfo?(ohad188)
(Reporter)

Comment 2

3 years ago
Hi Justin,

Yes, I still encounter it in Firefox 42.
To reproduce:
1. Open the Dev tools (default F12) and switch to the "Console" tab
2. Browse to http://www.valvesoftware.com/linuxsurvey.php?action=login
3. Sign in through Steam (you can create an account for free if you don't have one)
4. Observe the mixed content warnings in the Dev Console

Thanks,
Ohad
Flags: needinfo?(ohad188)
Ohad,

Thank you for the speedy reply!

I can replicate this bug and will send it up to a developer.

Thanks again,

Justin
Status: UNCONFIRMED → NEW
Ever confirmed: true
(Reporter)

Comment 4

3 years ago
Thanks Justin!

I'll stay tuned :)

Best,
Ohad
Component: Untriaged → Networking
Product: Firefox → Core
Component: Networking → Security: PSM
Tanvi, is this on your radar?
Flags: needinfo?(tanvi)

Comment 6

3 years ago
No, just seeing this now.


(In reply to Ohad Schneider from comment #0)
> Actual results:
> 
> Console shows "Mixed Content" warnings. Also happens in the nightly build
> with a new profile.
> 
Which part of the console shows the warnings?

There are two types of console warnings.

1) The one's in the security pane that look something like:
https://mdn.mozillademos.org/files/5261/blocked-mixed-content-errors.png

with messages like:
Blocked loading mixed active content "http://people.mozilla.com/~tvyas/cutepuppy.swf"[Learn More] mixedboth.html
Blocked loading mixed active content "http://people.mozilla.com/~tvyas/frame.html"[Learn More]
Loading mixed (insecure) display content "http://people.mozilla.org/~tvyas/FigureB.jpg" on a secure page[Learn More] mixedboth.html
Loading mixed (insecure) display content "http://people.mozilla.org/~tvyas/FigureC.jpg" on a secure page[Learn More] mixedboth.html


2) Or the one's in the Net pane that look something like:
https://mdn.mozillademos.org/files/3794/mixed_content_webconsole.jpg

with messages like:
GET  http://people.mozilla.org/~tvyas/FigureA.jpg [Mixed Content] [HTTP/1.1 200 OK 89ms]


If #2, I think this has to do with a bug in the webconsole where the url that is used for mixed content comparisons doesn't match the url in the address bar.  I will see if there is already a bug open on that.
Flags: needinfo?(ohad188)

Updated

3 years ago
Flags: needinfo?(tanvi)

Comment 7

3 years ago
If #2, this might be a duplicate of https://bugzilla.mozilla.org/show_bug.cgi?id=1105470.
(Reporter)

Comment 8

3 years ago
Thanks for looking into this Tanvi, it's indeed #2.
Flags: needinfo?(ohad188)

Updated

3 years ago
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1105470
You need to log in before you can comment on or make changes to this bug.