Open Bug 1405000 Opened 7 years ago Updated 2 years ago

Noscript tags containing HTTP link / resource on https pages trip the mixed content blocker even when JS is enabled and noscript content is unused

Categories

(Core :: DOM: Security, defect, P3)

Product:
Core
Component:
DOM: Security
Version:
57 Branch
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: firefox, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-backlog1]) 

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0
Build ID: 20170919185010

Steps to reproduce:

Go to HTTPS page that has <noscript> tag with HTTP link / resource.

Firefox will break the SSL lock and complain about broken HTTPS. This should not happen, if Javascript is enabled, as <noscript> part is never run (used).


Actual results:

HTTPS lock broken (yellow)


Expected results:

HTTPS respected (green lock)
Version: 55 Branch → 57 Branch
Component: Untriaged → Security

Another bug that got a bit lost.

Component: Security → DOM: Security
Flags: needinfo?(ckerschb)
Product: Firefox → Core
Summary: HTTPS broken when noscript tags contain HTTP link / resource → Noscript tags containing HTTP link / resource on https pages trip the mixed content blocker even when JS is enabled and noscript content is unused

Yeah, that seems possible - has to go into the backlog though.

Blocks: MixedContentBlocker
Flags: needinfo?(ckerschb)
Priority: -- → P3
Whiteboard: [domsecurity-backlog1]
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.