Console shows https mixed console warnings

NEW
Unassigned

Status

()

Core
DOM: Security
P3
normal
3 years ago
2 years ago

People

(Reporter: tanvi, Unassigned)

Tracking

(Blocks: 1 bug)

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [domsecurity-backlog1], URL)

Attachments

(2 attachments)

(Reporter)

Description

3 years ago
Richard identified a bug where the console sometimes says 
Loading mixed (insecure) display content "https://..." on a secure page

This doesn't make sense because if the url is https, then how can it be mixed?  Maybe it went through a cached insecure image redirect?  I need to do further testing.  Filing this bug for now.
(Reporter)

Comment 1

3 years ago
Pasting some info from email thread.
Richard:
BTW, this is also appearing for real sites.  Go to http://united.com, and they will upgrade you to HTTPS, but then you get:

Loading mixed (insecure) display content "https://www.united.com/web/en-us/img/tgt/bbm/20150508_alm15390_Hertz.jpg?01AD=39ssdOA6EjlOolW2gle_Shu4Du96TLB6t18za7DSgXXbmIxavqwMggw&01RI=B2B4E63CBE21495&01NA=" on a secure page/

That also demonstrates that it's not HSTS, since united.com is not an HSTS host.


Tanvi:
On a fresh profile using a mozilla-central build updated last friday in e10s I get [1]. Then I open a new tab and try it again and get [2].  I repeat the process again and get [1] over and over, even after clearing my cache.


On united.com I dont get any mixed content.  Looks like an HSTS / mixed bug to me.  Maybe we show 'Loading mixed (insecure) display content "https://ipv.sx/mixed-hsts-test/image.jpg"' only after the first upgrade?  I will flag this to take a closer look later.


[1]
Loading mixed (insecure) display content "http://geopriv.dreamhosters.com/mixed-hsts-test/image.jpg" on a secure page[Learn More] mixed-hsts-test
Loading mixed (insecure) display content "http://ipv.sx/mixed-hsts-test/image.jpg" on a secure page[Learn More] mixed-hsts-test
Blocked loading mixed active content "http://geopriv.dreamhosters.com/mixed-hsts-test/test.js"[Learn More] mixed-hsts-test
Blocked loading mixed active content "http://ipv.sx/mixed-hsts-test/test.js"[Learn More]

[2]
Blocked loading mixed active content "http://geopriv.dreamhosters.com/mixed-hsts-test/test.js"[Learn More] mixed-hsts-test
Blocked loading mixed active content "http://ipv.sx/mixed-hsts-test/test.js"[Learn More] mixed-hsts-test
Loading mixed (insecure) display content "http://geopriv.dreamhosters.com/mixed-hsts-test/image.jpg" on a secure page[Learn More] mixed-hsts-test
Loading mixed (insecure) display content "http://ipv.sx/mixed-hsts-test/image.jpg" on a secure page[Learn More] mixed-hsts-test
Loading mixed (insecure) display content "https://ipv.sx/mixed-hsts-test/image.jpg" on a secure page[Learn More]
The problem is most likely related to the insecure redirect flag for images [1]. I have had a very similar issue for upgrade-insecure-requests (See Bug 1183563).

[1] http://mxr.mozilla.org/mozilla-central/source/image/imgRequest.cpp#1269

Comment 3

3 years ago
Created attachment 8681189 [details]
Warnings in the console

I can confirm this behaviour on a fresh Firefox profile. I first encountered this issue on the following page: https://www.perkbox.co.uk/goldcard/deals/food-and-drink/enjoy-your-free-tastecard-app-it-s-valid-in-7-357-uk-retaurants-amp-counting

I'm attaching two screenshots to show the console output, and also what happens when you request one of the images directly.

Comment 4

3 years ago
Created attachment 8681191 [details]
HTTP to HTTPS redirect

As Christoph already said, this is most likely the cause. The page requests the image via HTTP, but the site then does a 301 redirect from HTTP to HTTPS.
(Reporter)

Updated

2 years ago
Blocks: 815321
This one really needs to get fixed.
Whiteboard: [domsecurity-backlog]
Priority: -- → P1
(Reporter)

Updated

2 years ago
Duplicate of this bug: 1066873
(Reporter)

Updated

2 years ago
See Also: → bug 908703
Priority: P1 → P3
Whiteboard: [domsecurity-backlog] → [domsecurity-backlog1]
You need to log in before you can comment on or make changes to this bug.