Open
Bug 1364915
Opened 7 years ago
Updated 2 years ago
Canceled request via WebExtension still counts as loading mixed content
Categories
(WebExtensions :: Request Handling, defect, P5)
Tracking
(Not tracked)
REOPENED
People
(Reporter: none11given, Unassigned)
Details
(Whiteboard: triaged)
Attachments
(3 files)
redirect-double-load.PNG
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36 Steps to reproduce: Create a WebExtension with the web request blocking permission. In background.js, subscribe to the onBeforeRequest event and add a listener which will (a) redirect from an HTTP URL to an HTTPS URL, or (b) cancel a request to a HTTP URL. Load an HTTPS webpage which has an HTTP image on it (mixed content). Actual results: The mixed content warning appears in the URL bar. In the case where we cancel the non-HTTPS request, the image does not load (cannot be seen in the Network tab of the console), but the console still logs the "Loading mixed (insecure) display content" warning and the mixed content icon appears. In the case where we redirect the non-HTTPS request to HTTPS, the Network tab shows both the HTTP image request and the HTTPS image request, for some reason, but this may just be a quirk of the tool. In any event, the console still logs the mixed content warning, and the mixed content icon appears. Expected results: The mixed content warning/icon should not appear, since we intercepted the HTTP request before it happened and never actually loaded any mixed content.
|
Reporter | |
Comment 1•7 years ago
|
||
Here are two test pages which serve a non-secure (HTTP) image on an HTTPS page. I'll attach a ZIP with a WebExtension that reproduces the issue on these pages momentarily. On the first page, the extension will attempt to redirect from HTTP to HTTPS when the image is requested. https://nonegiven.github.io/mixed1 On the second page, the extension will cancel the request for the image. https://nonegiven.github.io/mixed2
|
|
Reporter | |
Comment 2•7 years ago
|
||
WebExtension which repros the problem on the test pages provided in bug
|
|
Reporter | |
Comment 3•7 years ago
|
||
Extension redirects from HTTP to HTTPS; dev tools show image is loaded twice; mixed content warning appears
|
|
Reporter | |
Comment 4•7 years ago
|
||
Insecure image load is canceled; dev tools show request was never made; mixed content warning appears anyway
|
||
Updated•7 years ago
|
Component: Untriaged → WebExtensions: Request Handling
Product: Firefox → Toolkit
|
||
Updated•7 years ago
|
Priority: -- → P5
Whiteboard: triaged
|
||
Comment 5•6 years ago
|
||
Per policy at https://wiki.mozilla.org/Bug_Triage/Projects/Bug_Handling/Bug_Husbandry#Inactive_Bugs. If this bug is not an enhancement request or a bug not present in a supported release of Firefox, then it may be reopened.
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → INACTIVE
|
||
Updated•6 years ago
|
Status: RESOLVED → REOPENED
Ever confirmed: true
Resolution: INACTIVE → ---
|
|
||
Updated•6 years ago
|
Product: Toolkit → WebExtensions
|
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•