Open
Bug 1193718
Opened 10 years ago
Updated 3 years ago
After enabling protection on a mixed content site the site is displayed as secure when X-Frame-Options is used
Categories
(Core :: DOM: Security, defect, P3)
Tracking
()
NEW
People
(Reporter: VarCat, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: [domsecurity-backlog2])
Environment:
FF 42
Build Id: 20150811030206
OS: Win 7 x64
STR:
1. Go to https://people.mozilla.org/~mkelly/mixed_test.html
2. From Control Center subpanel "Disable Protection for now"
3. From Control Center subpanel "Enable protection"
Issue:
Instead of the mixed content with active content blocked icon( greenlock with gray exclamation mark) the secure content icon is displayed(greenlock).
Note:
After enabling protection you can no longer disable it from the subpanel.
|
Reporter | |
Updated•10 years ago
|
OS: Unspecified → All
Hardware: Unspecified → All
Summary: After enabling protection on a mixed content site the site is displayed as secure → [Control Center]After enabling protection on a mixed content site the site is displayed as secure
|
|
||
Comment 1•10 years ago
|
||
Great find, thanks Catalin!
Flags: qe-verify+
Flags: firefox-backlog?
Summary: [Control Center]After enabling protection on a mixed content site the site is displayed as secure → [Control Center] After enabling protection on a mixed content site the site is displayed as secure
Whiteboard: [fxprivacy]
|
|
||
Comment 2•10 years ago
|
||
This looks like a problem with the mixed content blocker. Tanvi, can you please take a look?
Flags: qe-verify+
Flags: needinfo?(tanvi)
Flags: firefox-backlog?
|
|
||
Comment 3•10 years ago
|
||
[Tracking Requested - why for this release]:
status-firefox42:
--- → affected
status-firefox43:
--- → affected
|
||
Updated•10 years ago
|
Flags: firefox-backlog?
|
||
Comment 4•10 years ago
|
||
This may have to do with the use of x-frame-options:
Load denied by X-Frame-Options: http://cs.fit.edu/ does not permit cross-origin framing.
Copying the html from the test case exactly and only changing the iframe to point to http://example.com instead of http://cs.fit.edu:
https://people.mozilla.org/~tvyas/mixediframe9.html
With this test case, enable and disable work just fine repeatedly.
The first time the user visits the site, mixed content blocks the frame load and we get the mixed content UI. A disable attempts the frame load and receives an X-Frame-Options header from the server. At this point, maybe the browser caches the fact that it can't iframe cs.fit.edu. Hence, when we reenable protection, the browser doesn't attempt the load. Hence the call to Mixed Content Blocker (and Content policies) doesn't happen for the frame after the protection is re-enabled and we don't get mixed UI.
This issue only happens when:
* mixed active content is blocked on the page
* the user disables protection
* the user reenables protection
* the only mixed active content that is present are one or more http iframes that have an X-Frame-Options header that denies the load.
It doesn't matter if protection is enabled or disabled; it doesn't matter if the user has turned off mixed content blocking completely, the http iframe will never load. Hence, this might be a won't fix.
The only think it would be nice to check is the caching behavior of X-Frame-Options and how that prevents a call to Content Policy.
Blocks: MixedContentBlocker
Flags: needinfo?(tanvi)
Summary: [Control Center] After enabling protection on a mixed content site the site is displayed as secure → [Control Center] After enabling protection on a mixed content site the site is displayed as secure when X-Frame-Options is used
|
|
||
Updated•10 years ago
|
Flags: firefox-backlog?
Whiteboard: [fxprivacy] → [fxprivacy] [triage]
|
|
||
Comment 5•10 years ago
|
||
Discussed with Tim and this bug is not for the privacy team.
Whiteboard: [fxprivacy] [triage]
|
||
Comment 6•9 years ago
|
||
Move control center bugs, filter on "de-generalize-control-center"
Component: General → Site Identity and Permission Panels
|
||
Comment 7•6 years ago
|
||
Tanvi, Jonathan, do either of you have context on this 4-year-old bug that blocks MCB? Is it still relevant?
Flags: needinfo?(tanvi)
Flags: needinfo?(jkt)
|
||
Comment 8•6 years ago
|
||
Given Comment 4, it sounds like there isn't cache invalidation happening when the user disables protection and re-enables it. That to me sounds like a bigger issue that should be probably be investigated.
Perhaps the MCB should enforce that all loads get revalidated over the network when protection is enabled.
Shouldn't this be in Firefox:Security or DOM:Security? Perhaps even Necko? I think at best this is a P3 though but requires further investigation.
Flags: needinfo?(jkt)
Priority: -- → P3
|
|
||
Comment 9•6 years ago
|
||
Also we should probably write a test as the pmo site has gone, but the comments describe how this worked.
|
|
||
Comment 10•6 years ago
|
||
Since this does not seem to be a frontend issue, moving this to Core :: DOM: Security as suggested in comment 8.
Component: Site Identity → DOM: Security
Flags: needinfo?(tanvi)
Product: Firefox → Core
Summary: [Control Center] After enabling protection on a mixed content site the site is displayed as secure when X-Frame-Options is used → After enabling protection on a mixed content site the site is displayed as secure when X-Frame-Options is used
|
|
||
Updated•6 years ago
|
Whiteboard: [domsecurity-backlog2]
|
||
Updated•3 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•