Closed Bug 139730 Opened 22 years ago Closed 22 years ago

https page containing <iframe> incorrectly shows mixed security warning


(Core Graveyard :: Security: UI, defect, P1)

1.0 Branch
Windows 2000


(Not tracked)



(Reporter: xenite, Assigned: KaiE)


(Blocks 1 open bug, )


(Keywords: regression, Whiteboard: [Trunk Only])

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.9+)
BuildID:    20020423

When I go to the URL Mozilla warns me that I am
viewing a page with encrypted and unencrypted content and the lock symbol is red.

After copying the URL

into the navigation toolbar, Mozilla loads the page and the yellow lock symbol
indicates that no unencrypted content was loaded.

When I click the back-button to return to the lock
symbol stays yellow! Even if I reload the page (in a new Mozilla window) the
lock symbol is yellow.

Reproducible: Always
Steps to Reproduce:
1. Go to
2. Paste this URL into the navigation toolbar:
3. Use the back button to go back to the previous page.

Actual Results:  Mozilla no longer warns me that parts of the page at (maybe the file favicon.ico ?) were not transmitted

Expected Results:  The lock symbol should be red.
to PSM
Assignee: mstoltz → ssaux
Component: Security: General → Client Library
Ever confirmed: true
Product: Browser → PSM
QA Contact: bsharma → junruh
Version: other → 2.0
John, this should probably be duped. Kai's work on the lock icon fixed that.
build 2002041711 works on win2k.
> John, this should probably be duped. Kai's work on the lock icon fixed that.
> build 2002041711 works on win2k.

Well, Steffen says, he is seeing the problem with build 20020423.
I can reproduce this bug with a trunk based build on Linux.

I can not reproduce this bug on a 1.0.0 branch based build.

Therefore this bugs looks like a new regression on the trunk.

Some first trace results:

On our initial attempt to extract the security state, by obtaining security info
from the channel and QIing it to nsITransportSecurityInfo, we fail.

The current implementation assumes, if we are using security, this will succeed,
and will not try again later - causing the insecure lock icon to appear.

This bug seems to only occur with pages having an <iframe>.
I uploaded a simpler test case showing the problem at

But note, I do not agree with the initially changed expected behaviour.

It is a bug that the red icon is shown, because all content gets transfered securly.

Actual behaviour: Mixed security icon is shown and mixed security warning is shown.

Expected behaviour: The "good" lock icon should be shown all the time.
Assignee: ssaux → kaie
Summary: Detection of page with encrypted/unencrypted mix unreliable → https page containing <iframe> incorrectly shows mixed security warning
Keywords: nsbeta1+, regression
Priority: -- → P1
Whiteboard: [adt1]
Target Milestone: --- → 2.3
Removing nsbeta1+/adt2, as this is not seen on the branch.
Keywords: nsbeta1+
Whiteboard: [adt1] → [Trunk Only]
This appears to be working now with this build: Mozilla/5.0 (Windows; U; Windows 
NT 5.0; en-US; rv:1.0rc2) Gecko/20020510
John, I believe what you tested is a branch build (1.0.0 rc2). The problem is
seen on the trunk only, I still see it.
I can no longer reproduce using a current trunk build.
Blocks: lockicon
Closed: 22 years ago
Resolution: --- → WORKSFORME
Verified works for me with the 7/17 Win32 trunk.
Keywords: nsbeta1
Product: PSM → Core
Version: psm2.0 → 1.0 Branch
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.