Open
Bug 1201767
Opened 9 years ago
Updated 2 years ago
Console shows https mixed console warnings
Categories
(Core :: DOM: Security, defect, P3)
Core
DOM: Security
Tracking
()
NEW
People
(Reporter: tanvi, Unassigned)
References
(Blocks 1 open bug, )
Details
(Whiteboard: [domsecurity-backlog1])
Attachments
(2 files)
Warnings in the console
Richard identified a bug where the console sometimes says
Loading mixed (insecure) display content "https://..." on a secure page
This doesn't make sense because if the url is https, then how can it be mixed? Maybe it went through a cached insecure image redirect? I need to do further testing. Filing this bug for now.
|
Reporter | |
Comment 1•9 years ago
|
||
Pasting some info from email thread.
Richard:
BTW, this is also appearing for real sites. Go to http://united.com, and they will upgrade you to HTTPS, but then you get:
Loading mixed (insecure) display content "https://www.united.com/web/en-us/img/tgt/bbm/20150508_alm15390_Hertz.jpg?01AD=39ssdOA6EjlOolW2gle_Shu4Du96TLB6t18za7DSgXXbmIxavqwMggw&01RI=B2B4E63CBE21495&01NA=" on a secure page/
That also demonstrates that it's not HSTS, since united.com is not an HSTS host.
Tanvi:
On a fresh profile using a mozilla-central build updated last friday in e10s I get [1]. Then I open a new tab and try it again and get [2]. I repeat the process again and get [1] over and over, even after clearing my cache.
On united.com I dont get any mixed content. Looks like an HSTS / mixed bug to me. Maybe we show 'Loading mixed (insecure) display content "https://ipv.sx/mixed-hsts-test/image.jpg"' only after the first upgrade? I will flag this to take a closer look later.
[1]
Loading mixed (insecure) display content "http://geopriv.dreamhosters.com/mixed-hsts-test/image.jpg" on a secure page[Learn More] mixed-hsts-test
Loading mixed (insecure) display content "http://ipv.sx/mixed-hsts-test/image.jpg" on a secure page[Learn More] mixed-hsts-test
Blocked loading mixed active content "http://geopriv.dreamhosters.com/mixed-hsts-test/test.js"[Learn More] mixed-hsts-test
Blocked loading mixed active content "http://ipv.sx/mixed-hsts-test/test.js"[Learn More]
[2]
Blocked loading mixed active content "http://geopriv.dreamhosters.com/mixed-hsts-test/test.js"[Learn More] mixed-hsts-test
Blocked loading mixed active content "http://ipv.sx/mixed-hsts-test/test.js"[Learn More] mixed-hsts-test
Loading mixed (insecure) display content "http://geopriv.dreamhosters.com/mixed-hsts-test/image.jpg" on a secure page[Learn More] mixed-hsts-test
Loading mixed (insecure) display content "http://ipv.sx/mixed-hsts-test/image.jpg" on a secure page[Learn More] mixed-hsts-test
Loading mixed (insecure) display content "https://ipv.sx/mixed-hsts-test/image.jpg" on a secure page[Learn More]
|
||
Comment 2•9 years ago
|
||
The problem is most likely related to the insecure redirect flag for images [1]. I have had a very similar issue for upgrade-insecure-requests (See Bug 1183563).
[1] http://mxr.mozilla.org/mozilla-central/source/image/imgRequest.cpp#1269
|
||
Comment 3•9 years ago
|
||
I can confirm this behaviour on a fresh Firefox profile. I first encountered this issue on the following page: https://www.perkbox.co.uk/goldcard/deals/food-and-drink/enjoy-your-free-tastecard-app-it-s-valid-in-7-357-uk-retaurants-amp-counting
I'm attaching two screenshots to show the console output, and also what happens when you request one of the images directly.
|
|
||
Comment 4•9 years ago
|
||
As Christoph already said, this is most likely the cause. The page requests the image via HTTP, but the site then does a 301 redirect from HTTP to HTTPS.
|
|
Reporter | |
Updated•9 years ago
|
Blocks: MixedContentBlocker
|
|
||
Updated•9 years ago
|
Priority: -- → P1
|
|
||
Updated•8 years ago
|
Priority: P1 → P3
Whiteboard: [domsecurity-backlog] → [domsecurity-backlog1]
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•