Closed Bug 1217159 Opened 4 years ago Closed 4 years ago

Block Mixed Content

Categories

(Firefox OS Graveyard :: Gaia::Browser, defect)

ARM
Gonk (Firefox OS)
defect
Not set

Tracking

(firefox44 fixed, b2g-v2.0 affected, b2g-v2.0M ?, b2g-v2.1 affected, b2g-v2.1S ?, b2g-v2.2 affected, b2g-v2.2r fixed, b2g-master fixed)

RESOLVED FIXED
FxOS-S10 (30Oct)
Tracking Status
firefox44 --- fixed
b2g-v2.0 --- affected
b2g-v2.0M --- ?
b2g-v2.1 --- affected
b2g-v2.1S --- ?
b2g-v2.2 --- affected
b2g-v2.2r --- fixed
b2g-master --- fixed

People

(Reporter: sjw+bugzilla, Unassigned)

Details

(Keywords: sec-low, Whiteboard: [systemsfe])

Attachments

(1 file)

1. Navigate to https://badssl.com/
2. use any of the mixed (active) content test
3. got a red warning, that the client didn't block it

If there is mixed content on a secure site, an attacker could inject code.
All major desktop browsers are blocking mixed content. Also some mobile clients do.

Firefox OS should not allow mixed content and show a warning instead.
Verified with current master, even in private mode.
Flags: needinfo?(ptheriault)
A pref issue? Gecko's all.js [1] has the mixed content blocked disabled by default. But both fennec for android [2] and b2gdroid [3] have it enabled for active content. I don't see the pref in b2g.js.

Was there a reason why it wasn't enabled?

[1] https://dxr.mozilla.org/mozilla-central/source/modules/libpref/init/all.js#1973
[2] https://dxr.mozilla.org/mozilla-central/source/mobile/android/app/mobile.js#481
[3] https://dxr.mozilla.org/mozilla-central/source/mobile/android/b2gdroid/app/b2gdroid.js#480
The only reason I can think of is that this was added after we created b2g.js and no one cared about adding that to b2g when setting it for desktop & android. b2gdroid got it from android since it's a much more recent product.
Attachment #8677109 - Flags: review?(sworkman)
Thanks for the prompt info Steve!
Comment on attachment 8677109 [details] [diff] [review]
mixed.diff

Review of attachment 8677109 [details] [diff] [review]:
-----------------------------------------------------------------

LGTM
Attachment #8677109 - Flags: review?(sworkman) → review+
all versions are affected (tested in simulator). Do we patch older versions?
Will FirefoxOS have a per page override, or just block alright?

Note, I'm okay with no override.  Our telemetry show it happens very rarely.
Flags: needinfo?(ptheriault)
(In reply to sjw from comment #7)
> all versions are affected (tested in simulator). Do we patch older versions?

At this point, I would say know. 2.2 is only taking sec-high and sec-critical security bugs at this point, and in like of the telemetry I don't think its worth the regression risk.
Keywords: sec-low
(In reply to Paul Theriault [:pauljt] from comment #9)
> (In reply to sjw from comment #7)
> > all versions are affected (tested in simulator). Do we patch older versions?
> 
> At this point, I would say know. 2.2 is only taking sec-high and
> sec-critical security bugs at this point, and in like of the telemetry I
> don't think its worth the regression risk.

Of course, I meant "no". It's early :)
Whiteboard: [systemsfe]
https://hg.mozilla.org/mozilla-central/rev/d9054e4529fa
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → FxOS-S10 (30Oct)
Group: b2g-core-security → core-security-release
Comment on attachment 8677109 [details] [diff] [review]
mixed.diff

Mahe, seems this affect 2.2. and 2.2r so requesting approval here
Flags: needinfo?(mpotharaju)
Attachment #8677109 - Flags: approval‑mozilla‑b2g37_v2_2r?
Attachment #8677109 - Flags: approval-mozilla-b2g37?
Comment on attachment 8677109 [details] [diff] [review]
mixed.diff

Please land it only on 2.2R. 

We are not risking regression on 2.2.
Flags: needinfo?(mpotharaju)
Attachment #8677109 - Flags: approval‑mozilla‑b2g37_v2_2r?
Attachment #8677109 - Flags: approval‑mozilla‑b2g37_v2_2r+
Attachment #8677109 - Flags: approval-mozilla-b2g37?
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.