Closed Bug 1172234 Opened 9 years ago Closed 6 years ago

HTTPS atom feeds pages are not displayed with certificate and padlock

Categories

(Firefox :: Address Bar, defect, P5)

defect

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: rpnpif, Unassigned)

References

Details

Attachments

(1 file)

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.7.0
Build ID: 20150513050015

Steps to reproduce:

Visit these sites :
https://fr.wikipedia.org/w/api.php?action=featuredfeed&feed=featured&feedformat=atom
or this :
http://linuxfr.org/news.atom



Actual results:

The certificate is ignored or not recognized. It is not displayed.
The page is wrongly displayed as it is not encrypted.

Other tests :
http://linuxfr.org/nodes/105959/comments/1607268
http://linuxfr.org/nodes/105959/comments/1607269



Expected results:

The certificate should be displayable.
The pad lock should be displayed.
Chromium displayed both the padlock and the certificate.
Sorry, but the second test site is https://linuxfr.org/news.atom with https.
OS: Unspecified → Linux
Hardware: Unspecified → x86_64
This doesn't need to be security-sensitive.
Group: core-security
Status: UNCONFIRMED → NEW
Component: Untriaged → Location Bar
Ever confirmed: true
Hi, I too am experiencing this with the RSS feed of my own site: https://ao2.it/en/feed

HTTPS works fine for the other contents but apparently it fails for the feed, can this be related to the content type being application/xhtml+xml ?

Please find attached an image which shows how the UI displays the connection status, it is VERY confusing.

There is no mixed content over http and https in this case but Firefox still says "Connection is not Secure".

Even if the communication was actually using HTTPS under the hood, Firefox says "Connection not Encrypted" also in the technical details.

Other browsers do not have this weird behavior, so I guess the server configuration is OK.

Thanks,
   Antonio
The issue is still present in Firefox 45
The issue is still present in Firefox 46
The issue is still present in Firefox 47
Version: 31 Branch → Trunk
Still there in Firefox 49.

I know it's a minor issue but it's also kinda weird :)
And I verified this happens on Windows too, so the "Platform" field should be updated (I can't do it).

Thanks,
  Antonio
This is because the content is loaded in a page called about:feeds, and that's what the identity popup uses to make decisions. It no longer has access to the security info of the original https channel, and so it can't tell us anything about the cert or otherwise.

Fixing this would require rearchitecturing the entire rss reader infrastructure, or fetching and keeping a reference to the ssl info somewhere and then plugging it in somewhere else, making sure to throw it away when done because it probably keeps other crap alive so there's a risk of leaks, which is also a lot of work.

RSS is dying and if you open an RSS link the content does not really have a lot of control over what you see (so spoofing risk is pretty minimal), can't run script, and you'll likely have come to the content from another same-domain page. As a result, I don't think this is important and I'm marking as P5, meaning if someone wrote the patch we'd take it, but I and others at Mozilla are unlikely to work on it.
OS: Linux → All
Priority: -- → P5
Hardware: x86_64 → All
Hi Gijs, thanks for the explanation.

I don't know if I'll ever work on that myself, but I was imagining that one possible way to tackle the issue could be to have an option to disable the feed reader altogether and just show the XML content directly from the https URL, with no "special treatment".

What do you think? Would that be less work?

Thanks,
   Antonio
(In reply to Antonio Ospite from comment #10)
> option to disable the
> feed reader altogether and just show the XML content directly from the https
> URL, with no "special treatment".

You can already configure alternative feed readers, from the web (e.g. yahoo or newsblur or the like) or using an app (e.g. thunderbird).

If we add a separate option to disable the feed reader it will be because we're aiming to remove it completely.
(In reply to :Gijs Kruitbosch from comment #11)
> (In reply to Antonio Ospite from comment #10)
> > option to disable the
> > feed reader altogether and just show the XML content directly from the https
> > URL, with no "special treatment".
> 
> You can already configure alternative feed readers, from the web (e.g. yahoo
> or newsblur or the like) or using an app (e.g. thunderbird).
>

Sure, but I was thinking only about resolving the ambiguity in the address bar.

> If we add a separate option to disable the feed reader it will be because
> we're aiming to remove it completely.

I was hinting at that too :)

Thanks,
  Antonio
This bug still exists in Firefox 51.0.1. Source: https://github.com/edavis/hnrss/issues/10
Hi, maybe this bug is also affecting Thunderbird? How can we disable the special treatment without specifying any feed handler, i.e. treat it like a normal webpage?
See Also: → 1471137
Fixed by removing feed preview.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: