Closed
Bug 138479
Opened 24 years ago
Closed 24 years ago
View Frame Info Security
Categories
(Core Graveyard :: Security: UI, defect, P2)
Tracking
(Not tracked)
VERIFIED
FIXED
psm2.3
People
(Reporter: andreas, Assigned: KaiE)
References
()
Details
(Whiteboard: [adt1 RTM])
Attachments
(1 file, 1 obsolete file)
|
1.39 KB,
patch
|
KaiE
:
review+
KaiE
:
superreview+
chofmann
:
approval+
|
Details | Diff | Splinter Review |
When I select View Frame Info via the right mouse button
for an encrypted frame, the information on the security
tab is incorrect. It appears to correspond to the page
instead of the selected frame.
Tested Mozilla version is 1.0RC1 from RedHat RPM under
Linux 2.4.18
Comment 1•24 years ago
|
||
-> PSM
Component: Page Info → Client Library
OS: Linux → All
Product: Browser → PSM
Hardware: PC → All
Version: other → 1.01
Comment 2•24 years ago
|
||
To PSM for real. We use the "securityUI" for security information, which is
utterly wrong for a frame....
Assignee: db48x → ssaux
Severity: minor → major
Status: UNCONFIRMED → NEW
Ever confirmed: true
QA Contact: pmac → junruh
Version: 1.01 → 2.0
Comment 3•24 years ago
|
||
*** Bug 140478 has been marked as a duplicate of this bug. ***
Comment 5•24 years ago
|
||
Confirmed.
Moreover, if the frameset has mixed content (i.e., one of the frames came from
http, then the info says that it's secure (because the frameset is) even though
the frame itelf isn't. This should be fixed. However:
In the case of mixed content, the lock icon is "mixed", telling the user about
that there is some unencrypted content, which should give the user plenty of
warning that he shouldn't trust any of this with a ten-foot pole.
If the content is all encrypted, the bug is less serious (but should be fixed).
| Assignee | ||
Comment 6•24 years ago
|
||
Our current implementation is indeed unable to provide independent security
information for each frame. We only have the security info for the whole page.
Implementing the independent solution is more work, but will be required for bug
140837.
Anyway, I think we should start by doing the simple and obvious thing: When the
page has a mixed security state, the page information text should also say that.
| Assignee | ||
Comment 7•24 years ago
|
||
After thinking more about it, I see two problems:
1.) We don't have separate security info for the frame.
Currently, when the user opens the page info, we always show the security info tab.
I think we should only display the security tab if the user has opened the page
info for the outermost page.
I'll try to produce a patch that does the conditional display within this bug.
2.) The page info for pages with mixed security is wrong.
I think that is a separate issue. I already filed bug 143455 about that problem.
| Assignee | ||
Comment 8•24 years ago
|
||
First, I found an off-by-one bug. That's a different problem, and not related
to this bug.
While the initial design obviously tried to obtain the hostname of the selected
frame, the off-by-one causes that to fail, I checked that.
The first part of the patch tries to find out, whether the first given argument
is null (that means, we are being called for the top level document), or
whether it is non-null (that means, we are being called for a frame).
We only provide our security infomation if we are being called for the top
level document, for frames we return null.
When opening page info for a frame, this patch hides the security tab
completely.
| Assignee | ||
Comment 9•24 years ago
|
||
Javi, can you please review?
Updated•24 years ago
|
Attachment #85410 -
Flags: review+
Comment 10•24 years ago
|
||
Comment on attachment 85410 [details] [diff] [review]
Suggested Fix
r=javi
Comment 12•24 years ago
|
||
Comment on attachment 85410 [details] [diff] [review]
Suggested Fix
sr=jag
You may want to comment out that w = ... line for the pedantics ;-)
Attachment #85410 -
Flags: superreview+
| Assignee | ||
Comment 13•24 years ago
|
||
> You may want to comment out that w = ... line for the pedantics ;-)
Good argument. I'll be checking in a slightly rearranged patch, having that
assignment before the return call, because it will not hurt, and we reduce the
likelyhood that the logic of this assignment will be forgotten or removed, if
we comment it out.
Attachment #85410 -
Attachment is obsolete: true
| Assignee | ||
Comment 14•24 years ago
|
||
Comment on attachment 85545 [details] [diff] [review]
Corrected Patch
carrying over reviews
Attachment #85545 -
Flags: superreview+
Attachment #85545 -
Flags: review+
| Assignee | ||
Comment 15•24 years ago
|
||
Checked in, fixed
| Assignee | ||
Updated•24 years ago
|
Keywords: mozilla1.0.1
Comment 16•24 years ago
|
||
Verified on 5/30 trunk Win2000 using this in-house test URL -
https://pki.mcom.com/frames.html
| Assignee | ||
Comment 17•24 years ago
|
||
Marking verified as per John's comment.
Status: RESOLVED → VERIFIED
| Assignee | ||
Comment 18•24 years ago
|
||
Raising priority of this security bug to ADT 1.
Whiteboard: [adt2 RTM] → [adt1 RTM]
Comment 19•24 years ago
|
||
adding adt1.0.1+. Please get drivers approval and check into the branch as soon
as possible.
Comment 20•24 years ago
|
||
Comment on attachment 85545 [details] [diff] [review]
Corrected Patch
a=chofmann for 1.0.l
add the fixed1.0.1 keyword after checking in on the branch, and lets get a bug
opened for figuring out how this might be done the right way to show security
info for each frame.
Attachment #85545 -
Flags: approval+
| Assignee | ||
Comment 22•24 years ago
|
||
I filed bug 149207 to request implementing correct security info for each frame.
Updated•9 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•