Closed Bug 1426207 Opened 8 years ago Closed 8 years ago

HTTPS page using HTTPS @font-face {src: url()} CSS shows "mixed content" warning after loading unrelated HTTP tab also using @font-face

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Version:
57 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1420680

People

(Reporter: mozilla, Unassigned)

References

Details

(Keywords: regressionwindow-wanted)

Attachments

(2 files)

https.html
139 bytes, text/html
Details
http.html
161 bytes, text/html
Details
Attached file https.html
User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0 Build ID: 20171130114045 Steps to reproduce: * Serve the attached https.html page via HTTPS * Serve the attached http.html page, and any *valid* TTF file named example.ttf in the same location, via HTTP * In a fresh Firefox profile, open a new tab and open the web console * Load https.html (via HTTPS) * Note console messages * Open a new tab and load http.html (via HTTP) * Return to the first tab and reload * Note console messages * Close the second tab and reload the first tab * Note console messages * Clear the web console and reload the first tab * Note console messages Actual results: * No mixed-content warning for the HTTPS page on first load * The following warning for the HTTPS page every subsequent time after having loaded the HTTP page once: Blocked loading mixed active content "http://some-server/some/path/example.ttf" [Learn More] https.html Expected results: * No mixed-content warning at all for the (fully) HTTPS site Notes: * The HTTPS page's @font-face URL doesn't have to work (but bug still manifests regardless) * The HTTP page's @font-face URL has to work and be a valid font * Same problem with e.g. WOFF URLs/fonts * Originally seen with a production full-HTTPS site using @font-face, and an arbitrary BBC news article * Restarting the browser stops the error (until next load of the HTTP site) * Also happens with both tabs in a private browsing window
Attached file http.html
Component: Untriaged → DOM: Security
Product: Firefox → Core
Jonathan: any idea what's going on here? At first I was suspecting maybe caching issues, but the two pages aren't even referencing the same font! (Note, for the "http" page you'll have to load that on a local server. The "https" test page can be loaded from the bugzilla attachment.)
Flags: needinfo?(jfkthame)
Daniel: presumably you were able to reproduce this? If so can you flip this to confirmed?
Is this a new problem in Firefox 57, or does it occur with earlier versions as well? One change that landed for 57 that might conceivably be related would be bug 1384741; a bug in the patches there might result in some kind of confusion in reporting font-loading errors.
Flags: needinfo?(jfkthame) → needinfo?(mozilla)
Component: DOM: Security → Layout
I don't know if it's present in earlier versions.
Flags: needinfo?(mozilla)
I am also affected by this, got me freaking out and I spent an hour to get to the root of this issue. Firefox 57.0.3 on Ubuntu 64 bit. On https page it's enough to have this in CSS for it to happen: @font-face {
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
See Also: → 1420680
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: