Closed Bug 1348107 Opened 8 years ago Closed 8 years ago

Not blocking outdated objects included into main page with invalid (outdated) certifficate

Categories

(Firefox :: Untriaged, defect)

Product:
Firefox
Component:
Untriaged
Version:
52 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: artur.pierscinski, Unassigned, NeedInfo)

Details

User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Build ID: 20170310133403 Steps to reproduce: Open page (with correct cert) which load object from other domain guarded by obsolete cert (mayby invalid too). Actual results: Cases: 1. Linux (52) --> Nothing 2. Windows (7) --> Nothing 3. Windows (7) + ESET --> Ask (from ESET) what to do with outdatet/invalid cert P.S. The same problem is probable/sure with earlier FX (does not checked). Expected results: In case 1 and 2 in my opinion FX should block/ask if block objects; info about those objects. Why? When is opened page with invalid/outdated cert FX inform about cert and block. So Why don't block/inform object from domain with outdated/invalid cert. Artur
Can you provide a testcase? Are you saying the sub-resources are blocked or that they are loaded?
Flags: needinfo?(artur.pierscinski)
The only reason we wouldn't block sub-resource inclusions with a bad cert is if the user has explicitly created an override to tell us to trust that cert anyway (typically for self-signed certs). There are lots of reasons we might consider a cert invalid or outdated and it's possible you found a buggy case, but the ones we've looked at should be fine. We'll need a specific instance to test.
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.