Closed Bug 1395638 Opened 8 years ago Closed 8 years ago

schema.org markup creates connection is not secure warning

Categories

(Firefox :: Site Identity, defect)

Product:
Firefox
Component:
Site Identity
Version:
55 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: pcrackenhead, Unassigned)

Details

Attachments

(3 files)

Screenshot showing the connection insecure message after restarting in safe mode.
350.45 KB, image/png
Details
Screenshot of red slash on lock icon on Contact page.
338.55 KB, image/png
Details
Screenshot of homepage without red slash on lock icon.
1.55 MB, image/png
Details
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0 Build ID: 20170824053838 Steps to reproduce: Go to a page on HTTP which includes schema.org marked up as HTTPS. Example page on my website is: http://www.georgefox.edu/dev/contact/index.html Actual results: Connection is not secure message appears about logins to insecure site. Expected results: Since there is no login on this page, message should not show. Message does not show if the schema.org markup is removed, and the schema.org markup does validate.
Can you please try Safe Mode and attach a screenshot of the error message? https://support.mozilla.org/kb/troubleshoot-firefox-issues-using-safe-mode
Restarted in safe mode, still showing the insecure warning message. Attached a screenshot for you to see.
This is expected, and not related to the schema.org markup. The message is displayed on all non-HTTPS pages which are vulnerable to MITM attacks.
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Component: Untriaged → Site Identity and Permission Panels
Resolution: --- → INVALID
Indeed this page doesn't have any sign-in form, but attackers can theoretically replace the Give Now button with a link to their own page to make money, or replace the contact list with bogus information to collect personal data, for example. Currently Firefox only shows the Not Secure message in the site identity panel, but will show a warning on the location bar in the future. Chrome and probably other browsers will do the same thing. Moving the site to HTTPS is the only solution to avoid such embarrassment. See also https://www.fxsitecompat.com/en-CA/docs/2015/insecure-http-will-be-deprecated/
If I remove the schema.org person markup from this page, however, the insecure content message disappears. So I'm not sure how it's not related to the markup. I can attach a screenshot of that, if you'd like. Also, this page on our site which includes the same form elements (and the same give now button), but not the schema.org person markup, doesn't show the insecure content message: http://www.georgefox.edu/dev/index.html
I should clarify, since I probably did a poor job of explaining myself. The message is still there if you open the info tab, but the page has a lock icon with a red slash through it on the contact page, but not on the homepage. I'll attach screenshots.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: