1235652 - Mixed-Mode warning also if all http content is redirected to https using 301/302

Status: RESOLVED INVALID

(Core Graveyard :: Security: UI, defect)

Description

[Marcel Haldemann]

Attachment: mixed_content_flamed_by_firefox.png

User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Build ID: 20151216175450

Steps to reproduce:

visited a page (freeswitch.expert) that has one http:// image. However if u look at the Network-Analyser u see the one picture (using http://) is redirected using HTTP 302 to https://. (same issue if HTTP 301 is used). See attached image.


Actual results:

Firefox is crying for "Mixed-Content" and tells me the page is insecure. See attached image.


Expected results:

Firefox should has noted that all http:// images was redirected using code 301 or 302 (during loading) and thus we are secure and have no mixed-content.

See attached image. 

This should definitly be patched as it makes it "easy" to ensure SSL using apaches mod_rewrite whithout the need to change every single http:// link in your homepage.

Comment 1

[YF (Yang)]

I guess this is normal because the HTTP request can be tampered by middleman.

Comment 2

[:Gijs (he/him)]

bug 418354 was the opposite request. I believe that the arguments there are much stronger: if the content is requested over http, that makes the request (and thereby the page) insecure. The fact that the eventual content arrived over https is less important: the initial request, potentially including insecure cookies or querystring information, was made in the plain, and is thereby already readable to e.g. a passive MITM attack. On top of that, the page is now vulnerable to active MITM attacks that modify the child resource requests of the page.

IOW, the fact that this behaves as it does is desirable, and this is not a bug. I'm resolving this as INVALID.