Mixed Content treatment of CSS differs from documentation

REOPENED
Assigned to

Status

Developer Documentation
Security
REOPENED
2 years ago
2 years ago

People

(Reporter: Bala, Assigned: sheppy)

Tracking

(Blocks: 2 bugs)

Details

(URL)

(Reporter)

Description

2 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.73 Safari/537.36

Steps to reproduce:

I'm analyzing mixed content behavior of Mozilla Firefox, I cam across following documentation of mixed content on Mozilla's developer page:

https://developer.mozilla.org/en/docs/Security/MixedContent

This document described the classification of mixed content i.e. Active mixed content and passive mixed content.
As per this documentation 
"All cases in CSS where a url value is used (@font-face, cursor, background-image, etc.)" will be considered as Active mixed content.








Actual results:

However when I take a test case with mixed content in case of CSS, I found Mozilla is reporting it as warning i.e. Passive mixed content.



Expected results:

It seems that the documentation doesn't matching with the browser behavior or vice-versa.

What is the expected behavior of browser? Or Is documentation is old?

Updated

2 years ago
Blocks: 815321
Component: Untriaged → Security
Product: Firefox → Developer Documentation
Summary: Found different documentation on Mixed Content? → Mixed Content treatment of CSS differs from documentation
Version: 42 Branch → unspecified

Comment 1

2 years ago
Stylesheets themselves are considered Active Content.  If they load a font, that font is considered active content.  If they load an image, the image is considered mixed passive.

It depends on the content type of the subresource being loaded.

Most content types are considered active.  The only passive ones are:
TYPE_IMAGE
TYPE_MEDIA (<audio>,<video>,<track>)
TYPE_OBJECT_SUBREQUEST (requests made my a plugin object)

Hence, it looks like this line of the documentation is wrong.  Though I haven't tested in a while.  What do you find in your test cases for font, cursor, and background image?

Thanks for finding this issue and filing this bug!
(Assignee)

Comment 2

2 years ago
I've made a number of improvements to the article. I'd appreciate it if someone could review the changes and see if I've resolved this issue without introducing any new mistakes.

Please comment and reopen if this isn't fixed after all. Thanks!
Assignee: nobody → eshepherd
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago
Flags: needinfo?(tanvi)
Resolution: --- → FIXED

Comment 3

2 years ago
Thanks for the updates Eric!  A few corrections below:

* "In the case of passive content, the threat is low (webpage appears broken or with misleading content). In the case of active content, the threat can lead to phishing, sensitive data disclosure, redirection to malicious sites, etc."

The "webpage appears broken" isn't really the threat of mixed passive content.  We don't block it by default, so mixed passive content will load just fine.  Unless by "webpage appears broken" you mean that the security UI is degraded (it's a grey lock with a yellow triangle instead of a green lock)?

Instead I would say:
In the case of passive content, the threat is lower (the page may contain misleading content, the user's cookies may be stolen).  In the case of active content, the threat can lead to phishing, sensitive data disclosure, stolen credentials, redirection to malicious sites, etc."


* "All cases in CSS where a url value is used (@font-face, cursor, background-image, and so forth)."
I think we have to remove this example.  CSS stylesheets themselves are mixed active.  Fonts that they load are mixed active.  But background images they load are mixed passive.


* "Warnings in Web Console" section
The webconsole security pane shows both loaded and blocked mixed content.  We don't have to reference the first diagram that shows the Net panel.  We can instead show the Security panel and "Loading mixed (insecure) display content messages".  See the webconsole when you load https://people.mozilla.com/~tvyas/mixedboth.html or https://people.mozilla.com/~tvyas/mixeddisplay.html for an example of what this looks like.
Status: RESOLVED → REOPENED
Ever confirmed: true
Flags: needinfo?(tanvi)
Resolution: FIXED → ---
(Assignee)

Comment 4

2 years ago
(In reply to Tanvi Vyas [:tanvi] from comment #3)

> * "All cases in CSS where a url value is used (@font-face, cursor,
> background-image, and so forth)."
> I think we have to remove this example.  CSS stylesheets themselves are
> mixed active.  Fonts that they load are mixed active.  But background images
> they load are mixed passive.
> 
> 
> * "Warnings in Web Console" section
> The webconsole security pane shows both loaded and blocked mixed content. 
> We don't have to reference the first diagram that shows the Net panel.  We
> can instead show the Security panel and "Loading mixed (insecure) display
> content messages".  See the webconsole when you load
> https://people.mozilla.com/~tvyas/mixedboth.html or
> https://people.mozilla.com/~tvyas/mixeddisplay.html for an example of what
> this looks like.

I'm working on the fixes and have a question... looking at the output in the security pane, I can't help wondering: do certain file types get whitelisted? Where is that list? I need to make a list of them, both for debugging aids and as an important guide for developers.
Flags: needinfo?(tanvi)

Comment 5

2 years ago
(In reply to Eric Shepherd [:sheppy] from comment #4)
> (In reply to Tanvi Vyas [:tanvi] from comment #3)
> 
> > * "All cases in CSS where a url value is used (@font-face, cursor,
> > background-image, and so forth)."
> > I think we have to remove this example.  CSS stylesheets themselves are
> > mixed active.  Fonts that they load are mixed active.  But background images
> > they load are mixed passive.
> > 
> > 
> > * "Warnings in Web Console" section
> > The webconsole security pane shows both loaded and blocked mixed content. 
> > We don't have to reference the first diagram that shows the Net panel.  We
> > can instead show the Security panel and "Loading mixed (insecure) display
> > content messages".  See the webconsole when you load
> > https://people.mozilla.com/~tvyas/mixedboth.html or
> > https://people.mozilla.com/~tvyas/mixeddisplay.html for an example of what
> > this looks like.
> 
> I'm working on the fixes and have a question... looking at the output in the
> security pane, I can't help wondering: do certain file types get
> whitelisted? Where is that list? I need to make a list of them, both for
> debugging aids and as an important guide for developers.

Hi Eric,
We don't whitelist file types.  We make decisions based on what type of request we have.  For example, if the source is inside a <script> tag, we go through the script loading code, which sets a content type of TYPE_SCRIPT.  We don't look at the source to see that it has a ".js" extension.  Here are the types we look at:
http://mxr.mozilla.org/mozilla-central/source/dom/security/nsMixedContentBlocker.cpp#467

Image types (processed by the image loader), media types (<audio>, <video>, <track>), and requests made from plugins are loaded by default with security warnings.  And the rest are blocked by default.
Flags: needinfo?(tanvi)
(Assignee)

Updated

2 years ago
Blocks: 1050930
You need to log in before you can comment on or make changes to this bug.