Open
Bug 1405000
Opened 7 years ago
Updated 2 years ago
Noscript tags containing HTTP link / resource on https pages trip the mixed content blocker even when JS is enabled and noscript content is unused
Categories
(Core :: DOM: Security, defect, P3)
Tracking
()
UNCONFIRMED
People
(Reporter: firefox, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: [domsecurity-backlog1])
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0 Build ID: 20170919185010 Steps to reproduce: Go to HTTPS page that has <noscript> tag with HTTP link / resource. Firefox will break the SSL lock and complain about broken HTTPS. This should not happen, if Javascript is enabled, as <noscript> part is never run (used). Actual results: HTTPS lock broken (yellow) Expected results: HTTPS respected (green lock)
Comment 1•4 years ago
|
||
Another bug that got a bit lost.
Component: Security → DOM: Security
Flags: needinfo?(ckerschb)
Product: Firefox → Core
Summary: HTTPS broken when noscript tags contain HTTP link / resource → Noscript tags containing HTTP link / resource on https pages trip the mixed content blocker even when JS is enabled and noscript content is unused
Comment 2•4 years ago
|
||
Yeah, that seems possible - has to go into the backlog though.
Blocks: MixedContentBlocker
Flags: needinfo?(ckerschb)
Priority: -- → P3
Whiteboard: [domsecurity-backlog1]
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•