Closed Bug 138479 Opened 22 years ago Closed 22 years ago

View Frame Info Security

Categories

(Core Graveyard :: Security: UI, defect, P2)

Product:
Core Graveyard
Component:
Security: UI
Version:
1.0 Branch
Type:
defect

Tracking

(Not tracked)

Status:
VERIFIED FIXED
Milestone:
psm2.3

People

(Reporter: andreas, Assigned: KaiE)

References

(
URL
)

Details

(Whiteboard: [adt1 RTM])

Attachments

(1 file, 1 obsolete file)

Corrected Patch
1.39 KB, patch
KaiE
: review+
KaiE
: superreview+
chofmann
: approval+
Details | Diff | Splinter Review 
When I select View Frame Info via the right mouse button
for an encrypted frame, the information on the security
tab is incorrect. It appears to correspond to the page
instead of the selected frame.
Tested Mozilla version is 1.0RC1 from RedHat RPM under
Linux 2.4.18
-> PSM
Component: Page Info → Client Library
OS: Linux → All
Product: Browser → PSM
Hardware: PC → All
Version: other → 1.01
To PSM for real.  We use the "securityUI" for security information, which is
utterly wrong for a frame....
Assignee: db48x → ssaux
Severity: minor → major
Status: UNCONFIRMED → NEW
Ever confirmed: true
QA Contact: pmac → junruh
Version: 1.01 → 2.0
*** Bug 140478 has been marked as a duplicate of this bug. ***
Nominating to be fixed ASAP.
Keywords: nsbeta1
Priority: -- → P2
Confirmed.

Moreover, if the frameset has mixed content (i.e., one of the frames came from
http, then the info says that it's secure (because the frameset is) even though
the frame itelf isn't. This should be fixed.  However:

In the case of mixed content, the lock icon is "mixed", telling the user about
that there is some unencrypted content, which should give the user plenty of
warning that he shouldn't trust any of this with a ten-foot pole.

If the content is all encrypted, the bug is less serious (but should be fixed).
Assignee: ssaux → kaie
Severity: major → normal
Keywords: nsbeta1nsbeta1+
Whiteboard: [adt2 RTM]
Target Milestone: --- → 2.3
Our current implementation is indeed unable to provide independent security
information for each frame. We only have the security info for the whole page.

Implementing the independent solution is more work, but will be required for bug
140837.

Anyway, I think we should start by doing the simple and obvious thing: When the
page has a mixed security state, the page information text should also say that.

After thinking more about it, I see two problems:

1.) We don't have separate security info for the frame.

Currently, when the user opens the page info, we always show the security info tab.

I think we should only display the security tab if the user has opened the page
info for the outermost page.

I'll try to produce a patch that does the conditional display within this bug.


2.) The page info for pages with mixed security is wrong.

I think that is a separate issue. I already filed bug 143455 about that problem.
Attached patch Suggested Fix (obsolete) — Splinter Review 
First, I found an off-by-one bug. That's a different problem, and not related
to this bug.

While the initial design obviously tried to obtain the hostname of the selected
frame, the off-by-one causes that to fail, I checked that.

The first part of the patch tries to find out, whether the first given argument
is null (that means, we are being called for the top level document), or
whether it is non-null (that means, we are being called for a frame).

We only provide our security infomation if we are being called for the top
level document, for frames we return null.

When opening page info for a frame, this patch hides the security tab
completely.
Javi, can you please review?
Attachment #85410 - Flags: review+
Comment on attachment 85410 [details] [diff] [review]
Suggested Fix

r=javi
Jag, can you please superreview?
Status: NEW → ASSIGNED
Comment on attachment 85410 [details] [diff] [review]
Suggested Fix

sr=jag

You may want to comment out that w = ... line for the pedantics ;-)
Attachment #85410 - Flags: superreview+
Attached patch Corrected PatchSplinter Review 
> You may want to comment out that w = ... line for the pedantics ;-)

Good argument. I'll be checking in a slightly rearranged patch, having that
assignment before the return call, because it will not hurt, and we reduce the
likelyhood that the logic of this assignment will be forgotten or removed, if
we comment it out.
Attachment #85410 - Attachment is obsolete: true
Comment on attachment 85545 [details] [diff] [review]
Corrected Patch

carrying over reviews
Attachment #85545 - Flags: superreview+
Attachment #85545 - Flags: review+
Checked in, fixed
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Keywords: adt1.0.1
Resolution: --- → FIXED
Keywords: mozilla1.0.1
Verified on 5/30 trunk Win2000 using this in-house test URL - 
https://pki.mcom.com/frames.html
URL: https://pki.mcom.com/frames.html
Marking verified as per John's comment.
Status: RESOLVED → VERIFIED
Raising priority of this security bug to ADT 1.
Whiteboard: [adt2 RTM] → [adt1 RTM]
adding adt1.0.1+.  Please get drivers approval and check into the branch as soon
as possible.
Keywords: adt1.0.1adt1.0.1+
Comment on attachment 85545 [details] [diff] [review]
Corrected Patch

a=chofmann for 1.0.l
add the fixed1.0.1 keyword after checking in on  the branch, and lets get a bug
opened for figuring out how this might be done the right way to show security
info for each frame.
Attachment #85545 - Flags: approval+
Checked in to branch.
Keywords: adt1.0.1+, mozilla1.0.1fixed1.0.1
I filed bug 149207 to request implementing correct security info for each frame.

Verified on branch.
Keywords: fixed1.0.1verified1.0.1
Product: PSM → Core
Version: psm2.0 → 1.0 Branch
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: