Why firefox is not reporting active mixed content loaded by <link> tag?

UNCONFIRMED
Unassigned

Status

()

Core
DOM: Security
P3
normal
UNCONFIRMED
a year ago
11 months ago

People

(Reporter: Bala, Unassigned)

Tracking

53 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [domsecurity-backlog3])

(Reporter)

Description

a year ago
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36

Steps to reproduce:

1. Create a test web page with following tag that preloads mixed content,
e.g. 
<link rel="preload" href="http://<Hostname>/other.css" as="style">

2. The web page should be hosted on "https" site. 

3.  In Mozila firefox "link" with "rel" attribute set to "preload" value fetch the resource in advance. 



Actual results:

1. According to mozilla's document, https://developer.mozilla.org/en-US/docs/Web/HTML/Link_types. <link> with "rel" attribute set to "preload" value fetch the resource in advance. 
2. Mozila firefox should report the mixed content for this preloaded resouce.
3. But unfortunately Firefox is not reporting the active mixed content.  



Expected results:

Mozilla firefox should report mixed content on test web page for "http://<Hostname>/other.css" resource loaded over http.
Component: Untriaged → DOM: Security
Product: Firefox → Core
That resource load is triggered by the page, but it's not _in_ the page (yet?) so we don't know if it's going to be used. Yes, this leaks requests (possible unsafe user cookies, like non-blocked images), but doesn't cause the page itself to be unsafe mixed content.

see also bug 1242902 for a somewhat related bug with preloads.

Kate: what does the mixed-content spec say about this case?
Flags: needinfo?(kmckinley)
Given that it is active mixed-content, the load should be blocked for mixed-content, unless we have some reason to upgrade it prior to the request.

I attempted to create a working reproduction, and was unsuccessful. Even when the URI was https://, it did not load the <link> URI. I suspect this is a bug in the stylesheet loader. Firefox doesn't attempt to load the stylesheet at all, so it doesn't go through the mixed-content blocker.

Testing on Chrome shows the stylesheet is properly blocked for mixed content.
Flags: needinfo?(kmckinley)
I don't think we support the "as" attribute yet, from the proposed Preload spec
https://w3c.github.io/preload/

When we do the type should be passed through to the content load and then we can apply the mixed-content blocking rules. Until then it's just mixed-passive content: we can't tell the difference between something OK like an image and something not like a script.
Flags: needinfo?(annevk)
Priority: -- → P3
Whiteboard: [domsecurity-backlog3]

Comment 4

11 months ago
Your analysis sounds correct. Pretty sure Dragana added as="" attribute support recently so can look into this now.
Flags: needinfo?(annevk) → needinfo?(dd.mozilla)
We do not support preload yet. I do not believe we fetch anything with <link rel=preload....


Bug 1222633 has not landed yet!
Flags: needinfo?(dd.mozilla)
You need to log in before you can comment on or make changes to this bug.