Closed
Bug 1172234
Opened 9 years ago
Closed 5 years ago
HTTPS atom feeds pages are not displayed with certificate and padlock
Categories
(Firefox :: Address Bar, defect, P5)
Firefox
Address Bar
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: rpnpif, Unassigned)
References
Details
Attachments
(1 file)
|
90.64 KB,
image/png
|
Details |
firefox_44.0.1_https_feed_2016-02-10 23-27-09.png
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.7.0 Build ID: 20150513050015 Steps to reproduce: Visit these sites : https://fr.wikipedia.org/w/api.php?action=featuredfeed&feed=featured&feedformat=atom or this : http://linuxfr.org/news.atom Actual results: The certificate is ignored or not recognized. It is not displayed. The page is wrongly displayed as it is not encrypted. Other tests : http://linuxfr.org/nodes/105959/comments/1607268 http://linuxfr.org/nodes/105959/comments/1607269 Expected results: The certificate should be displayable. The pad lock should be displayed. Chromium displayed both the padlock and the certificate.
Sorry, but the second test site is https://linuxfr.org/news.atom with https.
|
||
Comment 2•9 years ago
|
||
This doesn't need to be security-sensitive.
Group: core-security
Status: UNCONFIRMED → NEW
Component: Untriaged → Location Bar
Ever confirmed: true
|
||
Comment 3•8 years ago
|
||
Hi, I too am experiencing this with the RSS feed of my own site: https://ao2.it/en/feed HTTPS works fine for the other contents but apparently it fails for the feed, can this be related to the content type being application/xhtml+xml ? Please find attached an image which shows how the UI displays the connection status, it is VERY confusing. There is no mixed content over http and https in this case but Firefox still says "Connection is not Secure". Even if the communication was actually using HTTPS under the hood, Firefox says "Connection not Encrypted" also in the technical details. Other browsers do not have this weird behavior, so I guess the server configuration is OK. Thanks, Antonio
|
|
||
Comment 4•8 years ago
|
||
The issue is still present in Firefox 45
|
|
||
Comment 5•8 years ago
|
||
The issue is still present in Firefox 46
|
|
||
Comment 6•8 years ago
|
||
The issue is still present in Firefox 47
|
|
||
Comment 7•8 years ago
|
||
Still there in Firefox 49. I know it's a minor issue but it's also kinda weird :)
|
|
||
Comment 8•8 years ago
|
||
And I verified this happens on Windows too, so the "Platform" field should be updated (I can't do it). Thanks, Antonio
|
|
||
Comment 9•8 years ago
|
||
This is because the content is loaded in a page called about:feeds, and that's what the identity popup uses to make decisions. It no longer has access to the security info of the original https channel, and so it can't tell us anything about the cert or otherwise. Fixing this would require rearchitecturing the entire rss reader infrastructure, or fetching and keeping a reference to the ssl info somewhere and then plugging it in somewhere else, making sure to throw it away when done because it probably keeps other crap alive so there's a risk of leaks, which is also a lot of work. RSS is dying and if you open an RSS link the content does not really have a lot of control over what you see (so spoofing risk is pretty minimal), can't run script, and you'll likely have come to the content from another same-domain page. As a result, I don't think this is important and I'm marking as P5, meaning if someone wrote the patch we'd take it, but I and others at Mozilla are unlikely to work on it.
OS: Linux → All
Priority: -- → P5
Hardware: x86_64 → All
|
|
||
Comment 10•8 years ago
|
||
Hi Gijs, thanks for the explanation. I don't know if I'll ever work on that myself, but I was imagining that one possible way to tackle the issue could be to have an option to disable the feed reader altogether and just show the XML content directly from the https URL, with no "special treatment". What do you think? Would that be less work? Thanks, Antonio
|
|
||
Comment 11•8 years ago
|
||
(In reply to Antonio Ospite from comment #10) > option to disable the > feed reader altogether and just show the XML content directly from the https > URL, with no "special treatment". You can already configure alternative feed readers, from the web (e.g. yahoo or newsblur or the like) or using an app (e.g. thunderbird). If we add a separate option to disable the feed reader it will be because we're aiming to remove it completely.
|
|
||
Comment 12•8 years ago
|
||
(In reply to :Gijs Kruitbosch from comment #11) > (In reply to Antonio Ospite from comment #10) > > option to disable the > > feed reader altogether and just show the XML content directly from the https > > URL, with no "special treatment". > > You can already configure alternative feed readers, from the web (e.g. yahoo > or newsblur or the like) or using an app (e.g. thunderbird). > Sure, but I was thinking only about resolving the ambiguity in the address bar. > If we add a separate option to disable the feed reader it will be because > we're aiming to remove it completely. I was hinting at that too :) Thanks, Antonio
|
||
Comment 13•7 years ago
|
||
This bug still exists in Firefox 51.0.1. Source: https://github.com/edavis/hnrss/issues/10
|
||
Comment 14•6 years ago
|
||
Hi, maybe this bug is also affecting Thunderbird? How can we disable the special treatment without specifying any feed handler, i.e. treat it like a normal webpage?
|
|
||
Comment 15•5 years ago
|
||
Fixed by removing feed preview.
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•