Closed
Bug 138479
Opened 22 years ago
Closed 22 years ago
View Frame Info Security
Categories
(Core Graveyard :: Security: UI, defect, P2)
Tracking
(Not tracked)
VERIFIED
FIXED
psm2.3
People
(Reporter: andreas, Assigned: KaiE)
References
()
Details
(Whiteboard: [adt1 RTM])
Attachments
(1 file, 1 obsolete file)
1.39 KB,
patch
|
KaiE
:
review+
KaiE
:
superreview+
chofmann
:
approval+
|
Details | Diff | Splinter Review |
When I select View Frame Info via the right mouse button for an encrypted frame, the information on the security tab is incorrect. It appears to correspond to the page instead of the selected frame. Tested Mozilla version is 1.0RC1 from RedHat RPM under Linux 2.4.18
Comment 1•22 years ago
|
||
-> PSM
Component: Page Info → Client Library
OS: Linux → All
Product: Browser → PSM
Hardware: PC → All
Version: other → 1.01
Comment 2•22 years ago
|
||
To PSM for real. We use the "securityUI" for security information, which is utterly wrong for a frame....
Assignee: db48x → ssaux
Severity: minor → major
Status: UNCONFIRMED → NEW
Ever confirmed: true
QA Contact: pmac → junruh
Version: 1.01 → 2.0
Comment 3•22 years ago
|
||
*** Bug 140478 has been marked as a duplicate of this bug. ***
Comment 5•22 years ago
|
||
Confirmed. Moreover, if the frameset has mixed content (i.e., one of the frames came from http, then the info says that it's secure (because the frameset is) even though the frame itelf isn't. This should be fixed. However: In the case of mixed content, the lock icon is "mixed", telling the user about that there is some unencrypted content, which should give the user plenty of warning that he shouldn't trust any of this with a ten-foot pole. If the content is all encrypted, the bug is less serious (but should be fixed).
Assignee | ||
Comment 6•22 years ago
|
||
Our current implementation is indeed unable to provide independent security information for each frame. We only have the security info for the whole page. Implementing the independent solution is more work, but will be required for bug 140837. Anyway, I think we should start by doing the simple and obvious thing: When the page has a mixed security state, the page information text should also say that.
Assignee | ||
Comment 7•22 years ago
|
||
After thinking more about it, I see two problems: 1.) We don't have separate security info for the frame. Currently, when the user opens the page info, we always show the security info tab. I think we should only display the security tab if the user has opened the page info for the outermost page. I'll try to produce a patch that does the conditional display within this bug. 2.) The page info for pages with mixed security is wrong. I think that is a separate issue. I already filed bug 143455 about that problem.
Assignee | ||
Comment 8•22 years ago
|
||
First, I found an off-by-one bug. That's a different problem, and not related to this bug. While the initial design obviously tried to obtain the hostname of the selected frame, the off-by-one causes that to fail, I checked that. The first part of the patch tries to find out, whether the first given argument is null (that means, we are being called for the top level document), or whether it is non-null (that means, we are being called for a frame). We only provide our security infomation if we are being called for the top level document, for frames we return null. When opening page info for a frame, this patch hides the security tab completely.
Assignee | ||
Comment 9•22 years ago
|
||
Javi, can you please review?
Updated•22 years ago
|
Attachment #85410 -
Flags: review+
Comment 10•22 years ago
|
||
Comment on attachment 85410 [details] [diff] [review] Suggested Fix r=javi
Comment 12•22 years ago
|
||
Comment on attachment 85410 [details] [diff] [review] Suggested Fix sr=jag You may want to comment out that w = ... line for the pedantics ;-)
Attachment #85410 -
Flags: superreview+
Assignee | ||
Comment 13•22 years ago
|
||
> You may want to comment out that w = ... line for the pedantics ;-)
Good argument. I'll be checking in a slightly rearranged patch, having that
assignment before the return call, because it will not hurt, and we reduce the
likelyhood that the logic of this assignment will be forgotten or removed, if
we comment it out.
Attachment #85410 -
Attachment is obsolete: true
Assignee | ||
Comment 14•22 years ago
|
||
Comment on attachment 85545 [details] [diff] [review] Corrected Patch carrying over reviews
Attachment #85545 -
Flags: superreview+
Attachment #85545 -
Flags: review+
Assignee | ||
Comment 15•22 years ago
|
||
Checked in, fixed
Assignee | ||
Updated•22 years ago
|
Keywords: mozilla1.0.1
Comment 16•22 years ago
|
||
Verified on 5/30 trunk Win2000 using this in-house test URL - https://pki.mcom.com/frames.html
Assignee | ||
Comment 17•22 years ago
|
||
Marking verified as per John's comment.
Status: RESOLVED → VERIFIED
Assignee | ||
Comment 18•22 years ago
|
||
Raising priority of this security bug to ADT 1.
Whiteboard: [adt2 RTM] → [adt1 RTM]
Comment 19•22 years ago
|
||
adding adt1.0.1+. Please get drivers approval and check into the branch as soon as possible.
Comment 20•22 years ago
|
||
Comment on attachment 85545 [details] [diff] [review] Corrected Patch a=chofmann for 1.0.l add the fixed1.0.1 keyword after checking in on the branch, and lets get a bug opened for figuring out how this might be done the right way to show security info for each frame.
Attachment #85545 -
Flags: approval+
Assignee | ||
Comment 22•22 years ago
|
||
I filed bug 149207 to request implementing correct security info for each frame.
Updated•8 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•