1301114 - PUT http:// ajax calls get blocked when being called from https:// even though mixed content blocking is disabled

Status: RESOLVED INCOMPLETE

(Firefox :: Security, defect)

Description

[stoilov.ivan]

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.89 Safari/537.36

Steps to reproduce:

1. Install Firefox 48.0.2 on Windows 7 (make sure it's a fresh install and firebug is not installed)
2. Disable mixed content blocking from about:config - http://take.ms/iwVMy 
3. Open https://codepen.io/IvanStoilov/full/GjJAXY/
4. Try Running the test with POST selected --> see that it works
5. Try Running the test with PUT selected --> it doesn't work but it should be




Actual results:

PUT requests are blocked (not even made to the server)


Expected results:

PUT requests are allowed because blocking active mixed content is disabled

Comment 1

[Abe - QA (:Abe_LV)]

Hi Stoilov,

I have tested this in windows 7 with fresh install of Firefox 48.02.
After disabling "security.mixed_content.block_active_content", the test page displays "An error ocurred!" for the "PUT" request, but the console window shows a warning "Loading mixed (insecure) active content “http://cors-test.appspot.com/test?3”...".
It is not "blocked loading mixed active content" message. So I am not sure if it is blocking the active content in this case.

Are you getting the block message in the console window?  Can you attach screen capture of console window  or more information?

Here us my screen capture: https://testing-1.tinytake.com/sf/OTY1NzMzXzQwMzc4NjI

thanks












--
Version 	48.0.2
Build ID 	20160823121617
Update Channel 	release
User Agent 	Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:48.0) Gecko/20100101 Firefox/48.0

Comment 2

[Abe - QA (:Abe_LV)]

Closing this as incomplete due to inactivity and lack of response from the reporter.
If anyone can still reproduce it on latest versions, feel free to reopen the bug and provide more information. Thanks